Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Continuous auditing for effective compliance with Rudder

Jonathan Clarke (Normation)
15:50–16:30 Thursday, 10 November, 2016
Tech, tools, and processes
Location: G103 Level: Intermediate
Average rating: ****.
(4.67, 3 ratings)

Prerequisite knowledge

  • Familiarity with the type of technical elements that a typical security policy requires to check, such as editing a SSH configuration file

What you'll learn

  • Explore Rudder, an up-and-coming open source IT compliance automation tool
  • Learn about real-world projects that automated security compliance auditing and how they benefited


Security policies are increasingly complex and demanding on the operations teams must implement them. How can you be sure that your security policy is really correct everywhere, apart from an expensive yearly audit? How can you know that what was OK a few weeks ago is still OK?

Rudder is open source IT compliance automation technology that comes from the DevOps world, where automatic configuration management is already the norm. With a focus on continuously checking configurations and centralizing real-time status data, Rudder can show a high-level summary (“ISO 27001 rules are at 100%!”) and break down noncompliance issues to a deep technical level (“Host prod-web-03: SSH server configuration allows root logins”).

Jonathan Clarke offers an overview of Rudder and demonstrates how to input the technical rules of a security policy into Rudder, watch it check them every 5 minutes on each and every one of your servers, and report back a global summary to you, allowing you to drill down to any issues that need remediating. Jonathan also explains how a successfully deployed policy can be enforced by the same tool, moving one step further from automatic auditing to automatic remediation. Along the way, Jonathan shares lessons learned from companies that have gone from asking whether their security policy was really applied to receiving near real-time alerts about noncompliance issues as they arise.

In particular, Jonathan explores the specific features in Rudder that have made it successful in compliance projects:

  • A simple framework allows you to extend the built-in rules to implement specific low-level configuration patterns, however complex they may be, using simple building blocks (“ensure package installed in version X,” “ensure file content,” “ensure line in file,” etc.). A graphical builder lowers the technical level required to use this.
  • Each policy can be independently set to be automatically checked or enforced on a policy or host level. In Enforce mode, each remediation action is recorded, showing the value of these invisible fixes.
  • Rudder works on almost every kind of device, so you’ll be managing physical and virtual servers in the data center, cloud instances, and embedded IoT devices in the same way.
  • Rudder is designed for critical environments where a security breach can mean more than a blip in the sales stats. Built-in features include change requests, audit logs, and strong authentication.
  • Rudder relies on an agent that needs to be installed on all hosts to audit. The agent is very lightweight (10 to 20 MB of RAM at peak) and blazingly fast (it’s written in C and takes less than 10 seconds to verify 100 rules). Installation is self-contained, via a single package, and can auto-update to limit agent management burden.
  • Rudder is a true and professional open source solution—the team behind Rudder doesn’t believe in the dual-speed licensing approach that makes you reinstall everything and promotes open source as little more than a “demo version.”
Photo of Jonathan Clarke

Jonathan Clarke


Jonathan Clarke is the cofounder and chief product officer at Normation, an open source software company based in Paris. Jonathan mainly works on Rudder, a truly open source IT automation and compliance tool with professional enterprise requirements, automatic reporting, and lightweight agents at its heart. Jonathan is a system engineer by trade. In his professional life, he has worked almost exclusively with open source tools and dabbled with them well before that. He is also a contributor to several open source projects, including OpenLDAP, LSC, and CFEngine. In his spare time, Jonathan enjoys good food, real ale, cinema, and cycling around Paris.