diff --git a/content/cv/firemon.md b/content/cv/firemon.md index bd24877..aab79d0 100644 --- a/content/cv/firemon.md +++ b/content/cv/firemon.md @@ -15,7 +15,48 @@ from a single server to massive multi-node ecosystems. -# FMOS Generation II +# FMOS: FireMon Operating System + +## Ansible Configuration Policy + +* Configuration policy for deployment of all FireMon software and + third-party dependencies +* Support for single-server and distributed deployments +* Automatically compute JVM heap sizes for each process based on available + resources +* Configures Elasticsearch in single-node or clustered mode +* Configures PostgreSQL with optional replication to standby servers +* Configures Kernel NFS server and client to share filesystem data between + machines +* Configures FireMon application server processes, including connection and + authentication information for PostgreSQL, Elasticsearch +* Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic + encryption of Elasticsearch communication +* Configures operating system login, password policy, including support for + external authentication providers such as LDAP or Kerberos +* Sets up *collectd* and Carbon (Graphite data storage engine) to track + system performance metrics, optionally replicating metrics data to a + FireMon-managed central storage for real-time review +* Optionally configures *rsyslog* to send log messages to remote destinations + over UDP, TCP, or TCP+TLS +* Configures *tmux* to automatically launch at user login + +## Deployment and Maintenance Tools + +* Python software for configuring and managing machines running FireMon + software (`fmos` command) +* Critical functionality for application maintenance: + * Updating OS and software + * Backing up and restoring data + * Capturing diagnostic information for technical support + * Modifying configuration settings + * Managing server certificates and private keys +* D-Bus daemon to handle privileged operations +* Unprivileged command-line interface +* HTTP API developed with FastAPI + + +## Generation II Platform * Based on CentOS 7 * Full-disk encryption using LUKS @@ -25,34 +66,15 @@ from a single server to massive multi-node ecosystems. * Used Koji to build RPM packages for first- and third-party software * Distribution included Ansible for configuration management * systemd units for controlling FireMon application services -* Configuration policy for deployment of all FireMon software and - third-party dependencies - * Support for single-server and distributed deployments - * Automatically compute JVM heap sizes for each process based on available - resources - * Configures Elasticsearch in single-node or clustered mode - * Configures PostgreSQL with optional replication to standby servers - * Configures Kernel NFS server and client to share filesystem data between - machines - * Configures FireMon application server processes, including connection and - authentication information for PostgreSQL, Elasticsearch - * Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic - encryption of Elasticsearch communication - * Configures operating system login, password policy, including support for - external authentication providers such as LDAP or Kerberos - * Sets up *collectd* and Carbon (Graphite data storage engine) to track - system performance metrics, optionally replicating metrics data to a - FireMon-managed central storage for real-time review - * Optionally configures *rsyslog* to send log messages to remote destinations - over UDP, TCP, or TCP+TLS - * Configures *tmux* to automatically launch at user login -* … -# FMOS Generation III +## Generation III Platform * Based on CentOS 7, later CentOS 8 (Stream) * Immutable SquashFS root filesystem image -* … +* Full-disk encryption using LUKS +* Custom Dracut modules to verify image OpenPGP signature, mount as rootfs, + initialize LUKS-encrypted persistent data volume with LVM +* Custom SELinux policy to confine FireMon software # DevOps Team Lead @@ -112,3 +134,16 @@ from a single server to massive multi-node ecosystems. * Accessible via purpose-built, ultra-minimal Linux distribution (Kernel and Busybox only) delivered by network boot/PXE * Written in Rust + + +# FireMon-as-a-Service + +* Cloud-hosted FireMon software deployment +* Deployed backend infrastructure for federated authentication using OpenLDAP, + MIT kerberos +* Followed Infrastructure-as-Code principles using Ansible +* Developed custom integrated authentication solution for FireMon Security + Manager software to provide full-featured account and credential management + using Kerberos protocol (Authgate) +* Python bindings for *mit-kerberos* using Cython +