When OSS Group is faced with a challenge, the team uses their expert knowledge in open-source and commercially supported solutions to get the job done.
A recent challenge was posed by a leading institute of higher education in New Zealand. Their fleet of hundreds of virtual servers were years behind in patching. Continued growth and development, compounded by staff turnover, made the management of the fleet complex and unwieldy.
While this situation is not uncommon for large companies, it is quite dangerous. Unpatched, out of date servers are vulnerable to viruses, cyber-attacks, privacy breaches and, when servers can no longer be supported, data loss. The customer could not afford to ignore this risk and wanted to act swiftly.
The solution to this kind of problem is to bring the whole fleet under one system for centralised management and patching. While this can be done using a suite of open-source tools, a commercially supported solution is often preferred by large companies because of the reliability and added support.
Red Hat was selected by the institute as their tool of choice. OSS Groups' Scotty Laing designed and built a dedicated Red Hat Satellite Server environment and migrated the 203 existing servers onto it.
“Using Ansible, I was able to automate the entire process of registering and migrating, from traditional Red Hat subscriptions or CentOS subscriptions, and I recreated the subscription assignments for each server to register them with Satellite.”
One of the things that Laing enabled to be implemented with the automation process was a tool called Red Hat Insights.
“Red Hat Insights is a massive collection of known vulnerabilities, known bad server configurations and known security issues that have been identified by Red Hat,” said Laing. “It maintains a growing knowledgebase of issues and will compare that to what you are running on your servers.”
Laing enabled this tool at the time of migration so Red Hat Satellite could proactively identify and report all the servers that required reboots or service restarts.
“Using these tools allowed us to identify several critical security vulnerabilities in four of their servers,” said Laing. “This was quite serious, especially as these were internet-facing servers that had been running for four years.”
When Laing shared his findings with the institute, they were impressed. They had only asked to be told what they had running and what needed to be updated. They hadn’t expected him to identify critical security issues as he went.
“The initial work came in well under the predicted hours due to the automation tools used,” explained Laing “leaving time to identify and report several security holes.”
The added value Laing and the OSS Group team provided early on gave the institute confidence in our partnership. Trusting that OSS Group would be able to get the job done, the institute ordered a complete security audit.
The team already had a head start on what the servers did because the institute had assigned roles to the majority of their hosts using Puppet, a configuration management tool. In addition to this tool, Laing enabled OpenSCAP (Security Content Automation Protocol) policies in Red Hat Satellite.
“Using OpenSCAP, I was able to create a security baseline in collaboration with the institute’s staff,” said Laing.
The institute defined a collection of 30 security policies to create a singular, customised policy. Once the customised policy had been imported into Satellite, Satellite then deployed the OpenSCAP agent to all of the institute’s servers. OpenSCAP then provided compliance reports to Satellite for all servers for each of the 30 policies.
The results of the audit highlighted the myriad vulnerabilities across the institute’s fleet of servers. While the institute’s security team wanted the issues fixed quickly, they were fully occupied with the day-to-day running of the institute’s information systems.
Laing and the OSS Group team were brought in to patch and upgrade the server fleet. The team has just completed this work and the institute has a unified collection of servers that are at a synchronised, supported level.
A representative from the institute had this to say.
“Thanks for the fantastic work done by Scotty and the OSS Group team with the patching of our server fleet. You have taken us from being three to four years behind in patching to completely up to date.”
While Laing is pleased with the outcome, he wants to make sure there is a plan for proactive patching and maintenance.
“It’s very easy to fall off the patching wagon,” said Laing. “We will be designing a quarterly patching program to ensure they don’t fall behind again.”
This project required a working understanding and the implementation of a number of tools, including Red Hat Satellite, Foreman, Ansible and Puppet. However, Laing thinks of Red Hat Satellite as the one tool to rule them all.
“We were able to use Satellite to identify everything that needed to be done and present these findings and insights to the senior management team,” said Laing.
Laing likes working with Red Hat tools because of their similarities to open-source tools.
“Previously, I’ve used a lot of open-source software,” said Laing. “Red Hat basically collates all the best open-source stuff.”
If open-source is free, and Red Hat is similar, why invest in Red Hat?
“What you don’t get with open-source is stability and support,” said Laing. “The stability Red Hat provides is particularly useful for large companies who want a single, uniform, supported system across the board.”
With Red Hat’s huge presence in New Zealand, Laing finds it easy to call somebody locally for advice and troubleshooting. And even though it is a commercially supported product, Red Hat still integrates well with open-source tools.
“Red Hat is a good, innovative company that is really easy to work with,” said Laing. “At the end of the day, it’s just nice to use a tool that you have support for and that runs well.”