Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Review, April 23-24, 2002, 0 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson.

Published byAgatha Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber Security Review, April 23-24, 2002, 0 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson."— Presentation transcript:

1 Cyber Security Review, April 23-24, 2002, 0 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Cfengine @ JLab David J. Bianco bianco@jlab.org

2 Cyber Security Review, April 23-24, 2002, 1 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Table of Contents Introduction JLab’s Environment What is cfengine? JLab’s cfengine architecture JLab templates Summary Questions

3 Cyber Security Review, April 23-24, 2002, 2 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility JLab’s Unix Environment ~90 central computing Unix servers (Linux, Solaris, HP) General computing resources, web, email, etc. ~50 CAD nodes (HP) ~185 compute farm nodes (Linux) A large number of user-managed Unix workstations (mostly Linux)

4 Cyber Security Review, April 23-24, 2002, 3 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility JLab’s Unix Environment The lab’s Unix admin staff is just 6 people. Changes are made to these machines all the time As with any environment, proper communication & documentation can be a problem Once a problem is fixed… will it remain fixed? Several recent incidents have underscored the need for proper configuration management In January 2002, JLab started looking into cfengine to help solve these problems

5 Cyber Security Review, April 23-24, 2002, 4 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility What is cfengine? Stands for “Configuration Engine” Policy driven configuration management for a network of machines Open source Unix & NT/2000 Mostly Unix, though

6 Cyber Security Review, April 23-24, 2002, 5 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility What is cfengine? Developed by Mark Burgess @ Oslo University College in 1993 Used on an estimated 100,000 nodes worldwide Currently in version 2.0

7 Cyber Security Review, April 23-24, 2002, 6 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility What is cfengine? Three main parts cfagent Network services Declarative configuration templates Optional anomaly detection service

8 Cyber Security Review, April 23-24, 2002, 7 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility JLab’s cfengine Architecture Cfengine Unix Clients (Desktops & Servers) Cfengine master server Configuration Database Critical File Database

9 Cyber Security Review, April 23-24, 2002, 8 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility JLab’s cfengine Architecture Cfengine master server contains Cfengine binaries for all platforms ‘All configuration templates Master copies of critical system/software configuration files Cfengine clients contain Local copies of their own binaries A complete copy of the configuration templates

10 Cyber Security Review, April 23-24, 2002, 9 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility JLab’s cfengine Architecture Clients use crontab to run “cfexecd –F” every 30 minutes Wrapper to run cfagent and email any output to the system administrator “splay time” keeps all client from overloading the master at once Cfagent automatically copies updated binaries and config templates from master Most configuration checks are performed during each run Expensive checks (file sweeps) performed only during the midnight run

11 Cyber Security Review, April 23-24, 2002, 10 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility JLab’s cfengine Architecture Administrator can also run cfengine manually Local root user (on a single client): cfagent (local root user) Cfengine admin (remotely from the master): cfrun

12 Cyber Security Review, April 23-24, 2002, 11 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Installing cfengine on a host Starting cfengine installation for sysdevs1 @ Tue Mar 5 09:08:42 EST 2002 Installation host is: SunOS Generating keypair... DONE Exchanging keypairs... Running cfagent for the first time... cfengine:sysdevs1: Update of image /home/janed/.ssh/authorized_keys from master /local/cfengine/REPOSITORY/common/home/janed/.ssh/authorized_keys on cfm.jlab.org [Additonal config output] Run /local/cfengine/bin/cfinstall as root Log is /tmp/cfinstall-

13 Cyber Security Review, April 23-24, 2002, 12 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Summary JLab uses cfengine 2.0 to manage configuration on a network of hundreds of Unix hosts The configuration master contains full copies of all configuration binaries, templates and important system files All network connections are encrypted and mutually authenticated The template files are modular, enabling us to pick and choose among the pieces we run for a particular host

14 Cyber Security Review, April 23-24, 2002, 13 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Questions? David J. Bianco

Download ppt "Cyber Security Review, April 23-24, 2002, 0 Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
CSS Central: Central Management Utility Screen View Samples Next.

CSS Central: Central Management Utility Screen View Samples Next.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Introduction to UNIX Acknowledgement:Thanks to Dr Andrew Horner for the original version of this set of slides. All trademarks are the properties of their.

Introduction to UNIX Acknowledgement:Thanks to Dr Andrew Horner for the original version of this set of slides. All trademarks are the properties of their.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Hands-On Microsoft Windows Server 2008 1 Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.

Hands-On Microsoft Windows Server Connecting Through Terminal Services Terminal server – Enables clients to run services and software applications.
Macintosh Configuration Management Will Jorgensen 1.

Macintosh Configuration Management Will Jorgensen 1.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
Linux Operations and Administration

Linux Operations and Administration
Ch 8-3 Working with domains and Active Directory.

Ch 8-3 Working with domains and Active Directory.
LabMan Conference: June 8 & 9, 2010 Lauren Nicholas, Moravian College 610-861-1633.

LabMan Conference: June 8 & 9, 2010 Lauren Nicholas, Moravian College
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Similar presentations

Ads by Google