The missing layer: security audit of configuration files

Transcript

1. The missing layer Security auditing of configuration files Config Management

   Camp 2026 - Ghent Alexis Mousset <[email protected]>

2. 1 Context

3. Rudder “Security posture automation” on Linux/Windows • A core of

   configuration management ‣ Focus on compliance • Also providing: ‣ Configuration audit (aka dry-run) ‣ Patch management ‣ Vulnerability management ‣ Security benchmarks (officially announced 2025Q4) The missing layer Security auditing of configuration files

4. Security benchmarks • Hardening guidelines • CIS benchmarks • And

   others, from NIST, ANSSI, etc. • Growing need to apply and prove the compliance to these requirements ‣ Legal & normative context • The tools are usually focused on audits ‣ Below is an actual excerpt from a CIS benchmark grep -P -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' / etc/pam.d/{password,system}-auth The missing layer Security auditing of configuration files

5. Security benchmarks (ii) The missing layer Security auditing of configuration

   files

6. Security benchmarks (iii) The missing layer Security auditing of configuration

   files

7. Two worlds: automation automate(desired_state, is_dry_run) -> ok/ko + logs •

   Automation tools (Rudder, Ansible, Puppet, Terraform, etc.) ‣ Take a desired state (as a nice model) ‣ Apply it in the world - Either succeed or fail ‣ May produce logs for technical usage The missing layer Security auditing of configuration files

8. Two worlds: security audit audit(acceptable_states) -> results + logs ->

   analysis / score • Audit tools (CIS CAT, InSpec, etc.) ‣ Take a representation of acceptable states ‣ Compare it to the world - Either succeed or fail - Usually with more granularity ‣ Scoring, various criticality - Give meaning to the result ‣ Sometime a (bad) remediation mode The missing layer Security auditing of configuration files

9. Bridging the gap Do we have to chose between enforcing

   and probing? Or can get the best of both worlds? • State model that includes ‣ A representation of acceptable states ‣ A precise desired state we can converge towards ‣ Metadata to provide business meaning • Detailed and structured reporting ‣ Including a model of the difference - Precise non-compliance & change reports - It is a normal thing to happen! • Extract meaning ‣ Not just technical logs The missing layer Security auditing of configuration files

10. Bridging the gap (ii) automateAudit(acceptable_states, desired_state, mode) -> structured reports

    -> scoring / meaning Several modes: • Enforce the target state • Enforce the target state when current state is not acceptable • Just compare and report The missing layer Security auditing of configuration files

11. In practice Rudder already has a high level focus on

    compliance and extracting relevant information from agent output. We need to push this approach to the agent level to meet the challenge. The missing layer Security auditing of configuration files

12. 2 Configuration files

13. Augeas [1] to the rescue • Created in 2007 •

    Allows editing many configuration files syntax • Mostly known through Puppet • Hard to use • … and file editions are less common But: • Still the best option • The complexity matches the domain’s actual complexity • (Unexpectedly?) great for audits The missing layer Security auditing of configuration files

14. Augeas primer • Parse file content as a tree (including

    comments!) • Intermediate level of abstraction ‣ Abstracts syntax ‣ Not logic /files/etc/fstab/1 /files/etc/fstab/1/spec = "/dev/mapper/debian--13--vg-root" /files/etc/fstab/1/file = "/" /files/etc/fstab/1/vfstype = "ext4" /files/etc/fstab/1/opt = "errors" /files/etc/fstab/1/opt/value = "remount-ro" /files/etc/fstab/1/dump = "0" /files/etc/fstab/1/passno = "1" /files/etc/fstab/#comment[8] = "/boot was on /dev/sda1 during installation" /files/etc/fstab/2 /files/etc/fstab/2/spec = "UUID=c856d851-66da-4c31-a17a-b53a4afdd1f0" /files/etc/fstab/2/file = "/boot" /files/etc/fstab/2/vfstype = "ext4" /files/etc/fstab/2/opt = "defaults" /files/etc/fstab/2/dump = "0" /files/etc/fstab/2/passno = "2" The missing layer Security auditing of configuration files

15. Augeas primer (ii) • Work on the tree (read/write) ls

    /files/etc/hosts rm /files/etc/fstab[3] set /files/etc/fstab/seq::*[spec='/dev/mapper/debian--13--vg-var']/opt/value 'noexec' • Save to disk save • Either scripted or interactively with augtool. The missing layer Security auditing of configuration files

16. Lenses (from Bidirectional Programming Languages, Foster [2]) The missing layer

    Security auditing of configuration files

17. Lenses (ii) Augeas is based on lenses: • Bidirectionnal transformations

    between the files and the tree ‣ In practice, one lens by file format • Allows observing the current state, describing the changes • Can push the changes to the system The missing layer Security auditing of configuration files

18. 3 Extending Augeas

19. Extending Augeas Augeas lacks a few things for our needs:

    • Assertions on the values • Ability to audit vs. modify • Detailed output Instead of modifying it, we decided to create a wrapper. The missing layer Security auditing of configuration files

20. Start with a library Exposing the full Augeas C interface

    (plus some tooling) in Rust (raugeas [3], Rust Augeas) use raugeas::{Augeas, Flags}; let mut aug = Augeas::init(Some("/"), "", Flags::NONE)?; // Get the ip address for host.example.com from `/etc/hosts`. let entry = aug.get("etc/hosts/*[canonical = 'host.example.com']/ip")?; if let Some(ip) = entry { println!("The ip for host.example.com is {}", ip); } else { println!("There is no entry for host.example.com in /etc/hosts"); } // Add an alias for host.example.com. aug.set( "etc/hosts/*[canonical = 'host.example.com']/alias[last()+1]", "server.example.com", )?; The missing layer Security auditing of configuration files

21. Why Rust • Speed is a feature ‣ Unlocks use

    cases • Seamless access to important system APIs (C libs, etc.) • Safety and robustness are non-negotiable • Multiplatform (Linux/Windows) The missing layer Security auditing of configuration files

22. Extending the language: assertions • Add check/check_not keywords, providing a

    built-in assertion library. check etc/hosts/1/ip ... • raugtool utility, augtool with extensions, drop-in replacement. The missing layer Security auditing of configuration files

23. Asserts: individual values String check /path/to len >= 3 check

    /path/to ~ this.*[a-z]+ check /path/to == "My string" Numeric check /path/to is uint check /path/to > 78GB check /path/to == 1234 IP check /path/to is ipv6 check /path/to in_ip_range ["192.167.30.1/24", "182.168.31.1/24"] The missing layer Security auditing of configuration files

24. Asserts: individual values (ii) Passwords Allows controlling a password’s strength

    in a file (with special care not to display its value). • Using a standard minimum count by character class (total, lowercase, uppercase, decimal, special): check /path/to password tluds 12 1 1 1 0 • Using the zxcvbn [4] score: check /path/to password score 4 The missing layer Security auditing of configuration files

25. Asserts: multiple values Either by automatic iteration: check /files/etc/ntp.conf/server[*]/ip in

    iprange 192.168.43.3/24 Or by assertions on lists: check /files/etc/program/curves[*] values == ["X25519", "prime256v1", "secp384r1"] check /files/etc/program/curves[*] values === ["X25519", "prime256v1", "secp384r1"] The missing layer Security auditing of configuration files

26. Extending the interpreter We use a custom interpreter that intercepts

    all commands and: • Handles the check commands • Passes other commands to Augeas directly ‣ Filters based on the current mode ‣ Adds output • Fail fast vs. collect errors The missing layer Security auditing of configuration files

27. Output Augeas is very quiet. We need to let the

    user know about what happens: • Lint errors: using spans, whenever possible: raugtool> check /files/etc/hosts/1/ipaddr is int Error: Type check error ╭─[/etc/hosts:8:1] │ 8 │ 127.0.0.1 localhost │ ────┬──── │ ╰────── type of 127.0.0.1 is NOT int ───╯ • File diffs: using preview and diffs ‣ For non-compliance or repair reports The missing layer Security auditing of configuration files

28. Rudder integration The missing layer Security auditing of configuration files

29. Rudder integration (ii) Represented as code: - method: file_augeas params:

    path: /etc/login.defs script: set /files/etc/login.defs/PASS_WARN_AGE ${login_defs_pass_warn_age} if_script: check /files/etc/login.defs/PASS_WARN_AGE < ${login_defs_pass_warn_age} name: '5.4.1.3 - file augeas' (rudder-module-ageas [5]) The missing layer Security auditing of configuration files

30. Dedicated interface • “Rudder module” • Works on one file

    ‣ Don’t load the whole system configurations • Has an if_script to condition changes ‣ Augeas scripts are not always idempotent ‣ We don’t have logic • Handles file backups (and other generic Rudder features). The missing layer Security auditing of configuration files

31. Visual reports Reports in the Web interface: The missing layer

    Security auditing of configuration files

32. 4 Conclusion

33. Conclusion • We can improve configuration management ‣ Measuring/observing is

    a part of (good) automation ‣ The desired state is a lie model, not reality ‣ Learn to live with shades of correctness ‣ Provide useful information in addition to technical information ‣ Bidirectional architecture • Not a revolution, incremental approach ‣ Reuse and extend ‣ Small steps • Augeas is nice! The missing layer Security auditing of configuration files

34. Thanks! Questions? References [1] R. Pinson, Augeas: A Configuration API.

    2013. [Online]. Available: http:/ /r.pinson.free.fr/augeas/augeas-book.pdf [2] J. N. Foster, “Bidirectional Programming Languages,” 2010. [3] “Normation/Raugeas.” Accessed: Jan. 01, 2025. [Online]. Available: https:/ /github.com/Normation/raugeas [4] D. L. Wheeler, “Zxcvbn: Low-Budget Password Strength Estimation,” presented at the 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 157–173. Accessed: Feb. 01, 2026. [Online]. Available: https:/ /www.usenix.org/conference/ usenixsecurity16/technical-sessions/presentation/wheeler [5] “Rudder/Policies/Module-Types/Augeas at Master · Normation/Rudder.” Accessed: Feb. 01, 2026. [Online]. Available: https:/ / github.com/Normation/rudder/tree/master/policies/module-types/augeas The missing layer Security auditing of configuration files