Node Groups

Node groups are a powerful mechanism within Cloudhouse Guardian (Guardian) that are used to group nodes with similar properties and roles. For example, you could choose to organize your nodes according to device type, operating system, application, or any other combination of defining criteria. At the node group level, you can assign policies to uphold a desired state of configuration, apply benchmarks to evaluate whether the nodes are compliant with the stipulated parameters, or use a dynamic group query to define a pattern or common attribute occurring in nodes. The Node Groups drop-down menu on the Monitored tab (Inventory > Monitored) displays all of the nodes and node groups that are currently being scanned and surveilled within your Guardian instance. Here, you can view, edit, and configure your existing node groups. The following topic describes the different types of node groups you can create, including how to utilize the full scope of functionality available within the Node Groups drop-down menu. For more information on how to add a node group, see Add Node Group.

Node groups simplify the management of node-related settings for Node Scan Ignore Lists, Scan Options, Policies, and Benchmarks. Once these settings are configured for a node group, they are applied to each node within that group; you do not have to apply those settings individually. A node can be added to any number of node groups. When set up correctly, the only consideration you need to make when adding a new node is that it is organized within the appropriate node group(s). The group-level settings will then take care of everything else. There are two types of node groups within Guardian, a standard (static) node group and a dynamic node group. For more information on the differences between the two, see below.

Note: Benchmarks are comprised of Center for Internet Security (CIS) policies. Whilst Guardian policies and CIS benchmarks are applied at the node group level, it is likely that various aspects of the policy will not apply to each node within the group. As a result, you may have several nodes within a group that are 'unmanaged', which means they do not have a policy applied. Cloudhouse advise that each node has a policy or benchmark applied. For more information, see Benchmarks.

Static / Dynamic Node Groups

There are two types of node groups you can create; a standard (static) node group or dynamic node group. Traditional node groups within Guardian are static in nature - without manual intervention, they will remain exactly as they were created until they're removed. This method requires you to manually add nodes to the group as required, it is a simpler method that works best for node types that aren't expected to change much over time.

Dynamic node groups are more flexible in nature. They are defined by a pattern or common attribute that is set via a dynamic search query. Rather than being statically assigned, any nodes that would be returned by the query are automatically assigned to the node group. Likewise, any nodes that fail to satisfy the query will be removed from the group. Dynamic node groups were created as a solution to the ever-changing landscape of many enterprises, allowing the group to grow or shrink as the composition of the enterprise changes.

Note: As demonstrated in the screenshot below, there is no option to manually add nodes to a dynamic node group. The nodes must fit the criteria stipulated within the dynamic group query in order to be automatically assigned.

When creating a new node group, the only difference between a static and dynamic group is the addition of a dynamic group query. In the example below, the dynamic group query has been set to automatically add any nodes with a Linux operating system to the group. You could further constrain the scope of the query by defining additional properties, such as the version number. Or, you could specify operating system versions to exclude from the search. There's plenty of options for customizing the scope of the query according to your needs. For more information on dynamic group queries, see Dynamic Group Queries.

Note: Conversely, you can also use regular expressions to set node rules for both dynamic and static node groups. However, unlike dynamic group queries, node rules only define the criteria for adding nodes to groups, they do not remove nodes that no longer meet the rule's criteria. That requires manual intervention. For more information, see Node Rules.

Scan Options

When accessing a node group, click the Scan drop-down list to display the following scan-related options:

Note: If you view a node group with no nodes in it, the Scan button is replaced with the Add a Node button. However, the options displayed in the Add a Node drop-down list are the same as below. For more information on how to add a node, see Add Nodes.

  • View Change Report – Click to view a change report for the selected node group, see Change Report for more information.

  • Export Node List – Click to download a CSV file of each of the nodes contained within the selected node group, with basic information about each node.

  • Export Scan Options – Click to download a JSON file of the selected node group's scan option, see Scan Options for more information.

  • Export Node Scans – Click to download a ZIP folder of the scans that occurred for each of the node's within the selected node group.

Tip: To learn how to access a node group's settings, see Node Group Settings.