cv: firemon: More details for FireMon projects
parent
7776f656df
commit
593516fd22
|
|
@ -15,7 +15,48 @@ from a single server to massive multi-node ecosystems.
|
|||
|
||||
<!-- more -->
|
||||
|
||||
# FMOS Generation II
|
||||
# FMOS: FireMon Operating System
|
||||
|
||||
## Ansible Configuration Policy
|
||||
|
||||
* Configuration policy for deployment of all FireMon software and
|
||||
third-party dependencies
|
||||
* Support for single-server and distributed deployments
|
||||
* Automatically compute JVM heap sizes for each process based on available
|
||||
resources
|
||||
* Configures Elasticsearch in single-node or clustered mode
|
||||
* Configures PostgreSQL with optional replication to standby servers
|
||||
* Configures Kernel NFS server and client to share filesystem data between
|
||||
machines
|
||||
* Configures FireMon application server processes, including connection and
|
||||
authentication information for PostgreSQL, Elasticsearch
|
||||
* Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic
|
||||
encryption of Elasticsearch communication
|
||||
* Configures operating system login, password policy, including support for
|
||||
external authentication providers such as LDAP or Kerberos
|
||||
* Sets up *collectd* and Carbon (Graphite data storage engine) to track
|
||||
system performance metrics, optionally replicating metrics data to a
|
||||
FireMon-managed central storage for real-time review
|
||||
* Optionally configures *rsyslog* to send log messages to remote destinations
|
||||
over UDP, TCP, or TCP+TLS
|
||||
* Configures *tmux* to automatically launch at user login
|
||||
|
||||
## Deployment and Maintenance Tools
|
||||
|
||||
* Python software for configuring and managing machines running FireMon
|
||||
software (`fmos` command)
|
||||
* Critical functionality for application maintenance:
|
||||
* Updating OS and software
|
||||
* Backing up and restoring data
|
||||
* Capturing diagnostic information for technical support
|
||||
* Modifying configuration settings
|
||||
* Managing server certificates and private keys
|
||||
* D-Bus daemon to handle privileged operations
|
||||
* Unprivileged command-line interface
|
||||
* HTTP API developed with FastAPI
|
||||
|
||||
|
||||
## Generation II Platform
|
||||
|
||||
* Based on CentOS 7
|
||||
* Full-disk encryption using LUKS
|
||||
|
|
@ -25,34 +66,15 @@ from a single server to massive multi-node ecosystems.
|
|||
* Used Koji to build RPM packages for first- and third-party software
|
||||
* Distribution included Ansible for configuration management
|
||||
* systemd units for controlling FireMon application services
|
||||
* Configuration policy for deployment of all FireMon software and
|
||||
third-party dependencies
|
||||
* Support for single-server and distributed deployments
|
||||
* Automatically compute JVM heap sizes for each process based on available
|
||||
resources
|
||||
* Configures Elasticsearch in single-node or clustered mode
|
||||
* Configures PostgreSQL with optional replication to standby servers
|
||||
* Configures Kernel NFS server and client to share filesystem data between
|
||||
machines
|
||||
* Configures FireMon application server processes, including connection and
|
||||
authentication information for PostgreSQL, Elasticsearch
|
||||
* Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic
|
||||
encryption of Elasticsearch communication
|
||||
* Configures operating system login, password policy, including support for
|
||||
external authentication providers such as LDAP or Kerberos
|
||||
* Sets up *collectd* and Carbon (Graphite data storage engine) to track
|
||||
system performance metrics, optionally replicating metrics data to a
|
||||
FireMon-managed central storage for real-time review
|
||||
* Optionally configures *rsyslog* to send log messages to remote destinations
|
||||
over UDP, TCP, or TCP+TLS
|
||||
* Configures *tmux* to automatically launch at user login
|
||||
* …
|
||||
|
||||
# FMOS Generation III
|
||||
## Generation III Platform
|
||||
|
||||
* Based on CentOS 7, later CentOS 8 (Stream)
|
||||
* Immutable SquashFS root filesystem image
|
||||
* …
|
||||
* Full-disk encryption using LUKS
|
||||
* Custom Dracut modules to verify image OpenPGP signature, mount as rootfs,
|
||||
initialize LUKS-encrypted persistent data volume with LVM
|
||||
* Custom SELinux policy to confine FireMon software
|
||||
|
||||
|
||||
# DevOps Team Lead
|
||||
|
|
@ -112,3 +134,16 @@ from a single server to massive multi-node ecosystems.
|
|||
* Accessible via purpose-built, ultra-minimal Linux distribution (Kernel and
|
||||
Busybox only) delivered by network boot/PXE
|
||||
* Written in Rust
|
||||
|
||||
|
||||
# FireMon-as-a-Service
|
||||
|
||||
* Cloud-hosted FireMon software deployment
|
||||
* Deployed backend infrastructure for federated authentication using OpenLDAP,
|
||||
MIT kerberos
|
||||
* Followed Infrastructure-as-Code principles using Ansible
|
||||
* Developed custom integrated authentication solution for FireMon Security
|
||||
Manager software to provide full-featured account and credential management
|
||||
using Kerberos protocol (Authgate)
|
||||
* Python bindings for *mit-kerberos* using Cython
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue