Audit vs. Enforce - Policy Mode
In this section you will:
As you saw just before, we configured one of our directives in "Audit mode". You may have guessed, according to its name, what this means.
Rudder has two available policy modes:
Enforce: it will modify the target system, if necessary, to achieve the expected state
Audit: it will only report about non-compliant components
This is why you can see the red surface is our compliance bars, and the non-compliance of our user technique which is in audit mode. It means our target system is not compliant according to our desired state (here the existence of the demo user, which does not exist on a newly installed system).
What we can do now is change the policy mode of the directive to use the default value (which is enforce), and re-run the agent to make our system compliant.
Go back to the demo user directive. You can use the Directive page, or use the quick search field, in the header bar. Here you can search for any Rudder item (there is even a small query language!).
And click on your directive to go to its configuration page. Now change policy mode to default, and save.
You can get back to your SSH session, and re-run
rudder agent update rudder agent run
You will see the actual modification happening, with a "repaired" state, and the demo user now exists on the system. If you go back to the dashboard, everything is green and compliance has reached 100%.
This policy mode can be used in different cases:
Adding an existing machine, to check if its state matches the expected state, and only enable modification mode if it is correct, to avoid breaking anything
Adding a configuration item on nodes chere it was not previously managed. It allows easily checking if assumptions about the current state are correct before changing anything.
We will now see how to manage other nodes, and more advanced configuration features.