Group Differencing

The Node Groups drop-down menu on the Monitored tab (Inventory > Monitored) displays all of the nodes and node groups that are currently being scanned and surveilled within your Guardian instance. Here, you can generate a difference report for multiple nodes or node groups to access the complete set of configuration data present on each node. Within the report, you can filter the results by scan date, differences, and commonalities; which is critical to uncovering and understanding inconsistencies within your node set. This feature can be especially useful when comparing nodes in a cluster (where the node configuration is typically similar between corresponding node groups), or node groups that have a common defining attribute, such as node groups for a specific operating system or role.

To generate a difference report for two node groups in the Monitored tab, complete the following steps:

Note: Alternatively, you can select three or more individual nodes for differencing from the 'All Nodes' node group.

  1. In the Node Groups drop-down menu, click to Show all X groups. The All Node Groups page is displayed.

  2. Select two or more node groups, then click the Group Diff button. The difference report for the selected node groups is displayed.

In the example below the 'GCP Compute Engine' and 'GCP Compute Engine Virtual Machine Configuration' node groups have been selected for differencing. Here, you can configure the scan results for the node groups to access the data required.

Total Differences

When doing a Group Diff, the Total Differences drop-down menu represents the similarities and differences between the two node group's configuration items via a color gradient consensus ranking. Each configuration item is represented by a square. Each square is assigned a color depending on the category it is assigned. Technically, the configuration items are only divided into two categories:

  • Common (Light Gray) – Configuration items that are present on both nodes, with no differences.

  • Different (Yellow/Orange) – Configuration items that are present on both nodes, but have different attributes.

However, the Different configuration items are represented via a color gradient, the color's intensity varying according to the number of differences present in each node group. Whereas Common configuration items are all displayed as light gray; defined as achieving More consensus due to the lack of differences between each attribute within each node group. A configuration item that is present on both nodes with a minor difference would be displayed as light yellow. Likewise, a configuration item that is entirely different for each node group would be displayed as a bright orange, defined as achieving Less consensus. The configuration item's color intensity is defined by the amount of differences present between each node group. As such, the color gradient system is representative of the level of consensus achieved between each node group.

Note: The presentation of this data was inspired by the Raft election metaphor. The focus is on determining not only what configuration is the same, but also how much difference is present between the two node groups. Hence the consensus ranking system.

In addition, the Total Differences drop-down menu displays the total percentage of differences present across all configurations and active nodes. For example, between the 'GCP Compute Engine' and 'GCP Compute Engine Virtual Machine Configuration' node groups, the difference report is comparing 732 configuration items across 5 active nodes, with differences present in 38.66% of configurations.

To view more information about a configuration item's differences between the nodes for each node group, select one of the colored squares. Once selected, a side panel is displayed with the name of the configuration item, each attribute within that configuration setting, and then the differences between each attribute.

In the example above, we can see the results of the Inventory configuration item, 'can_ip_forward'. Here, certain attributes are present within one node that are absent within the others, and vice versa. You can use your own knowledge of the configuration to determine whether any action needs to be taken to reduce the amount of differences present between each group of nodes.

Display

When differencing two or more node groups, you can filter the configuration items according to the following categories:

  • Common (Light Gray) – Configuration items that are present on both nodes, with no differences.

  • Different (Yellow/Orange) – Configuration items that are present on both nodes, but have different attributes.

  • Ignored Items – Configuration items that have been configured to be ignored within the difference report. For more information on how to configure your ignore list, see Node Scan Ignore Lists.

Switch the toggle on or off for one or more categories to filter the results of your node scans. For example, you could disable all Common configuration items, to only display the items that contain differences.

Active Nodes

The Active Nodes drop-down menu displays each node that is present and active within the selected node groups. Here, you can filter the configuration items according to individual nodes. Select the toggle for one or more nodes to filter the results of your group diff report. Additionally, you can add a node, separate from either node group, to add to the group diff. Click to Add Node to Diff. The display is updated accordingly.

Configuration Items

For each configuration item within the report, there is a set of corresponding settings that can be applied. To access a configuration item's settings, right-click on the square within the report. The following list of options are displayed:

  • Add to Policy – Create a policy from the selected scan of the configuration item to uphold the current state. For more information, see Policies.

  • Dynamic Node Group – Create a dynamic node group with a (dynamic group) query that automatically assigns any nodes that match the selected configuration item's value(s) to the group. For more information, see Dynamic Group Queries.

  • Add to Ignore List – Add the configuration item to the ignore list for the selected node's scans and drift reports. For more information, see Node Scan Ignore Lists.

  • Lookup – Search your default browser for the name of the configuration item you selected.

  • Add Scan Option – This option is only displayed for files. Add a file scan option for the selected configuration item. Select a node group from the list of options displayed to scan the raw contents of the file as part of the node group's regular scanning. The results of the file scan are then displayed within the configuration item itself. For more information on additional scan options that can be configured, see Scan Options.

    Note: Alternatively, you can add a directory to be scanned within the node's group settings. For more information, see Edit Node Group.