Complexity and the amount of applications and services in today’s IT environments are still growing. Manual management increases not only the security and not compliance risks, but also the time needed to detect and remove it. The same applies to the continuity of IT system services and errors – as much as 17% of data leaks are caused by human error, and on average 68% of data leaks are detected a few months after the event.¹ As a result, without the implementation of systems of continuous control of compliance with the organization’s policy and safety standards, we are unable to determine whether, after the implementation of another product or service, we still offer proper security for our business and clients.
Red Hat Satellite is focused on building and maintaining the SOE (Standard Operating Environment) for applications and services running in the organization. The main goal of SOE is high standardization and automation, which results in greater operational efficiency, safety, order and environmental certainty.
1. Security Improvement
Thanks to Red Hat Satellite, we have the ability to continuously monitor compliance with the adopted organization policy and selected security standards. For this purpose, we can use previously prepared SCAP (Security Content Automation Protocol) profiles. SCAP is a standard which among others define language describing the adopted security policy, mechanisms used for its validation, naming and format of final reports. This feature saves very expensive audits that need to be carried out at least once a year in complex environments. With Red Hat Satellite, we can do it monthly, weekly and even daily. Finally, we’ll get a report describing the whole environment and each of the systems separately, which accurately informs about the discrepancies found and how to bring the systems into a proper state.
Together with Red Hat Satellite, we get the opportunity to use Red Hat Insights, which provides proactive analytics with ready-made procedures to remove security vulnerabilities and increase the efficiency and stability of Red Hat products. It correlates the events occurring in the system and its configuration with the information contained in the Red Hat knowledge base, providing information on potential problems and vulnerabilities. Red Hat Insights also has the ability to generate ready-made Ansible playbooks that are able to implement the proposed recommendations on a selected group of systems. Access to reports and playbooks from Red Hat Insights is possible directly from the Red Hat Satellite interface.
2. Keeping order and automation
Red Hat Satellite mainly uses Puppet modules and Ansible roles to manage configuration and automation. Please note, that using Ansible in Red Hat Satellite is limited in the area of managing Red Hat products – at least in assumption. Beyond these, applications Red Hat Ansible Tower should be used for management and automation. It is also possible to execute sets of commands on a selected group of systems. These features allow you to ensure consistency of system configuration and services, as well as conveniently and quickly perform updates on dozens or even thousands of systems.
3. Software Management
Software management within SOE is implemented based on the built-up phases of the life cycle (Development, Testing, QA and Production). We also have the option of its versioning and filtering. This applies to packages, modules and applications that can be delivered in various ways to different groups of hosts. Red Hat Satellite can also provide third party software to the systems and synchronize content with its repositories, which then directly from Red Hat Satellite or via Red Hat Satellite Capsule can be distributed to hosts.
It also allows convenient operation of systems completely excluded from access to the Internet. Updates and software from the Red Hat CDN (Content Delivery Network) are delivered to Red Hat Satellite, and then to systems that only need a connection to Red Hat Satellite or a local Red Hat Satellite Capsule.
Thanks to the use of Red Hat Satellite Capsule, the entire architecture becomes very scalable and Red Hat Satellite is able to support even very large data centers with thousands of hosts in each location. The Red Hat Satellite Capsule is usually placed in each of them to relieve some centrally positioned Red Hat Satellite from certain functions. Red Hat Satellite Capsule’s tasks are mainly to synchronize content of repositories and modules from Red Hat Satellite and share them for local hosts.
Red Hat Satellite Capsule can also take on other functions from Red Hat Satellite. Examples of these include configuration management, control and scanning, as well as system detection and zero-system provisioning. With a large number of systems in each location, the use of Red Hat Satellite Capsule is highly recommended. Of course, the entire administration is carried out from one central place, which is Red Hat Satellite.
4. Adding and building new systems
Red Hat Satellite can provision systems on physical servers (bare metal), in virtual environments, such as VMware or RHV (Red Hat Virtualization), private cloud solutions based on Red Hat OpenStack and all known public cloud providers. System can be constructed from scratch and implemented by using flexible provisioning templates, Kickstart files, VM templates, with or without PXE. There are many ways to configure them, so you can conveniently automate the entire configuration process of new systems and then maintain them.
The complete and proper implementation of Red Hat Satellite requires good planning and adequate time to prepare templates that will be accepted by the administrators, application developers and the security department. Based on them, the entire operational environment for the application can be built in the future. Of course, you can also use the automatic detection of previously configured systems or add them manually, and then only manage their configuration and audit them.
5. Subscription management
Thanks to the content views shared with hosts, it is possible to group them conveniently and link them to used subscriptions. Red Hat Satellite is not only capable of managing central subscriptions for Red Hat products. You can also add third-party products or your own products and subscribe to them. Thanks to this, it is much easier to manage available software in the organization. In one place you can see how many systems use the given products or subscriptions.
Red Hat Satellite provides advanced functions for managing Red Hat and third-party subscriptions and sofware, configuration management (Puppet Modules, Ansible Roles and Command Remote Execution), hosts and services provisioning, automatic host detection and maintenance of SOE, together with software life cycle and complex auditing.
Red Hat Satellite also supports multiple environments in the multi-tenant model, RBAC (Role-Based Access Control) management, the ability to integrate with Microsoft Active Directory, Red Hat Identity Management or Red Hat Directory Server, as well as management with using CLI, GUI and API.
The Red Hat Satellite architecture includes:
• Foreman – allows you to build physical and virtual servers from scratch, manage their configuration, control, audit and supports reporting.
• Katello – is a plugin for Foreman software. He deals with subscription and repository management. It gives the possibility of subscribing to external repositories, as well as their versioning and distribution to managed hosts in accordance with the adopted software lifecycle and their environment (Lifecycle Management).
• Candlepin – is a service inside of Katello that deals with the subscription management.
• Pulp – is a service inside Katello, which deals with servicing shared software and module repositories (repository and content management).
We have only outlined the most common functions of Red Hat Satellite. It should be noted that there is a large number of different configuration options behind each use case. Red Hat Satellite is not just a product for the central management and distribution of software and subscriptions. More and more new features are focused on security, automation and servicing physical servers, virtualization environments as well as private and public clouds.
¹ Verizon, “2018 Data Breach Investigations Report,” March 2018. https://enterprise.verizon.com/resources/reports/dbir/