Security considerations
Data confidentiality
Rudder is designed to strictly separate policies between nodes, and to only let a node access its own policies.
This section will give details about how the policies are secured, and which content is node-specific or global.
Private data
All confidential information should be stored in private data, namely:
-
the directives, groups, rules, and their parameters
-
the techniques parameters in the Technique Editor
-
the shared-files directory
There are:
-
always transferred encrypted between nodes (using agent copy protocol or https for the interface and the API)
-
only available to the nodes that need it
-
only accessible locally by the users that need it
More precisely:
-
root server:
-
all the data is present on it
-
files are readable and writable only by the root user and (for some of them) the rudder group
-
some data is also accessible from our backends (PostgreSQL, OpenLDAP), but only locally (the services are listening on loopback) and from Rudder-specific users, with passwords only accessible to the root user
-
accessible remotely by the Web interface (needs an authorized user account) or the API (needs a token)
-
-
relay: only the data needed for the served nodes and the relay itself are available and stored locally, only accessible to the root user
-
node: only the data needed to configure the node is available and stored locally, only accessible to the root user
Common data
This refers to content available from all nodes in the authorized networks, readable from all users on the nodes.
These unprotected contents are:
-
the common ncf part (
/var/rudder/ncf/common
), which includes all the content distributed in thencf
package -
the Rudder techniques sources without parameters
/var/rudder/configuration-repository/techniques
Node-Server communication security
This section gives more details about the different flows between nodes and servers.
-
All flows use TLS 1.2+.
-
All Rudder nodes have their own certificate and key pair, used for authentication.
-
The certificate that will be used is extracted from the inventory at node acceptation and can later by managed through the nodes API.
File copy
File copy is used to get policies and files copied during policy execution (named shared-files). It uses a custom file copy protocol inside standard TLS (on port 5309).
The access policy is:
-
Peer to peer key exchange, without central authority.
-
TOFU (Trust On First Use) for policy server key on the node. If the server changes key, the node will refuse to connect.
-
Node-specific files have an ACL restricting access to the node only (based on its public key)
-
Common files have an IP restriction ACL based on the Allowed Networks
Inventory and HTTP-based reporting
Nodes send an inventory to the server after installation or upgrade, and once a day. Reports are sent at the end of every agent run.
They are sent by the node to its configured policy_server over HTTPS, with optional certificate validation. Once a node is accepted, all HTTPS reports and inventories will be checked before being accepted.
← Plugin format Generic methods →