dustin
/
dustin.web
1
0
Fork 0
Code Pull Requests Releases Activity

cv: firemon: More details for FireMon projects

pull/1/head
Dustin 2022-05-18 20:52:46 -05:00
parent 7776f656df
commit 593516fd22
1 changed files with 60 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
content/cv/firemon.md
View File

@ -15,7 +15,48 @@ from a single server to massive multi-node ecosystems.
<!-- more --> <!-- more -->
# FMOS Generation II # FMOS: FireMon Operating System
## Ansible Configuration Policy
* Configuration policy for deployment of all FireMon software and
third-party dependencies
* Support for single-server and distributed deployments
* Automatically compute JVM heap sizes for each process based on available
resources
* Configures Elasticsearch in single-node or clustered mode
* Configures PostgreSQL with optional replication to standby servers
* Configures Kernel NFS server and client to share filesystem data between
machines
* Configures FireMon application server processes, including connection and
authentication information for PostgreSQL, Elasticsearch
* Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic
encryption of Elasticsearch communication
* Configures operating system login, password policy, including support for
external authentication providers such as LDAP or Kerberos
* Sets up *collectd* and Carbon (Graphite data storage engine) to track
system performance metrics, optionally replicating metrics data to a
FireMon-managed central storage for real-time review
* Optionally configures *rsyslog* to send log messages to remote destinations
over UDP, TCP, or TCP+TLS
* Configures *tmux* to automatically launch at user login
## Deployment and Maintenance Tools
* Python software for configuring and managing machines running FireMon
software (`fmos` command)
* Critical functionality for application maintenance:
* Updating OS and software
* Backing up and restoring data
* Capturing diagnostic information for technical support
* Modifying configuration settings
* Managing server certificates and private keys
* D-Bus daemon to handle privileged operations
* Unprivileged command-line interface
* HTTP API developed with FastAPI
## Generation II Platform
* Based on CentOS 7 * Based on CentOS 7
* Full-disk encryption using LUKS * Full-disk encryption using LUKS
@ -25,34 +66,15 @@ from a single server to massive multi-node ecosystems.
* Used Koji to build RPM packages for first- and third-party software * Used Koji to build RPM packages for first- and third-party software
* Distribution included Ansible for configuration management * Distribution included Ansible for configuration management
* systemd units for controlling FireMon application services * systemd units for controlling FireMon application services
* Configuration policy for deployment of all FireMon software and
third-party dependencies
* Support for single-server and distributed deployments
* Automatically compute JVM heap sizes for each process based on available
resources
* Configures Elasticsearch in single-node or clustered mode
* Configures PostgreSQL with optional replication to standby servers
* Configures Kernel NFS server and client to share filesystem data between
machines
* Configures FireMon application server processes, including connection and
authentication information for PostgreSQL, Elasticsearch
* Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic
encryption of Elasticsearch communication
* Configures operating system login, password policy, including support for
external authentication providers such as LDAP or Kerberos
* Sets up *collectd* and Carbon (Graphite data storage engine) to track
system performance metrics, optionally replicating metrics data to a
FireMon-managed central storage for real-time review
* Optionally configures *rsyslog* to send log messages to remote destinations
over UDP, TCP, or TCP+TLS
* Configures *tmux* to automatically launch at user login
* …
# FMOS Generation III ## Generation III Platform
* Based on CentOS 7, later CentOS 8 (Stream) * Based on CentOS 7, later CentOS 8 (Stream)
* Immutable SquashFS root filesystem image * Immutable SquashFS root filesystem image
* … * Full-disk encryption using LUKS
* Custom Dracut modules to verify image OpenPGP signature, mount as rootfs,
initialize LUKS-encrypted persistent data volume with LVM
* Custom SELinux policy to confine FireMon software
# DevOps Team Lead # DevOps Team Lead
@ -112,3 +134,16 @@ from a single server to massive multi-node ecosystems.
* Accessible via purpose-built, ultra-minimal Linux distribution (Kernel and * Accessible via purpose-built, ultra-minimal Linux distribution (Kernel and
Busybox only) delivered by network boot/PXE Busybox only) delivered by network boot/PXE
* Written in Rust * Written in Rust
# FireMon-as-a-Service
* Cloud-hosted FireMon software deployment
* Deployed backend infrastructure for federated authentication using OpenLDAP,
MIT kerberos
* Followed Infrastructure-as-Code principles using Ansible
* Developed custom integrated authentication solution for FireMon Security
Manager software to provide full-featured account and credential management
using Kerberos protocol (Authgate)
* Python bindings for *mit-kerberos* using Cython