Security considerations

Data confidentiality

Rudder is designed to strictly separate policies between nodes, and to only let a node access its own policies.

This section will give details about how the policies are secured, and which content is node-specific or global.

Private data

All confidential information should be stored in private data, namely:

  • the directives, groups, rules, and their parameters

  • the techniques parameters in the Technique Editor

  • the shared-files directory

There are:

  • always transferred encrypted between nodes (using agent copy protocol or https for the interface and the API)

  • only available to the nodes that need it

  • only accessible locally by the users that need it

More precisely:

  • root server:

    • all the data is present on it

    • files are readable and writable only by the root user and (for some of them) the rudder group

    • some data is also accessible from our backends (PostgreSQL, OpenLDAP), but only locally (the services are listening on loopback) and from Rudder-specific users, with passwords only accessible to the root user

    • accessible remotely by the Web interface (needs an authorized user account) or the API (needs a token)

  • relay: only the data needed for the served nodes and the relay itself are available and stored locally, only accessible to the root user

  • node: only the data needed to configure the node is available and stored locally, only accessible to the root user

Common data

This refers to content available from all nodes in the authorized networks, readable from all users on the nodes.

These unprotected contents are:

  • the common ncf part (/var/rudder/ncf/common), which includes all the content distributed in the ncf package

  • the Rudder techniques sources without parameters /var/rudder/configuration-repository/techniques

Node-Server communication security

This section gives more details about the different flows between nodes and servers.

  • All flows use TLS 1.2+ (except for syslog reporting which is not encrypted by default).

  • All Rudder nodes have their own certificate and key pair, used for authentication.

  • The certificate that will be used is extracted from the inventory at node acceptation and can later by managed through the nodes API.

File copy

File copy is used to get policies and files copied during policy execution (named shared-files). It uses a custom file copy protocol inside standard TLS (on port 5309).

The access policy is:

  • Peer to peer key exchange, without central authority.

  • TOFU (Trust On First Use) for policy server key on the node. If the server changes key, the node will refuse to connect.

  • Node-specific files have an ACL restricting access to the node only (based on its public key)

  • Common files have an IP restriction ACL based on the Allowed Networks

Inventory and HTTP-based reporting

Nodes send an inventory to the server after installation or upgrade, and once a day. Reports are sent at the end of every agent run.

They are sent by the node to its configured policy_server over HTTPS, with optional certificate validation. Once a node is accepted, all HTTPS reports and inventories will be checked before being accepted. To force reports signature, you need to use the "HTTPS only" reporting mode, which disables syslog reporting totally.

Syslog reporting

Syslog reports are sent in plain text and are not authentified. Starting from 6.0, syslog reporting is disabled by default and present for compatibility with older agents.


← File description Data confidentiality →