Cooking SecuritySpeaker:Joshua Timberman Technical Evangelist  ‣ joshua@opscode.com  ‣ @jtimberman  ‣ www.opscode.com     ...
% whoamiSystem AdministratorWeb OperationsOpscode CookbooksTraining and Support           Copyright © 2010 Opscode, Inc - ...
Developers?Systems Administrators?“Business” People?                                                                 http:...
Just what isConfigurationManagement?    Copyright © 2010 Opscode, Inc - All Rights Reserved   4
A picture is worth...                Copyright © 2010 Opscode, Inc - All Rights Reserved   5
A thousand words!  “... Is a field of management that focuses on  establishing and maintaining consistency of a systems  or...
Infrastructure as Code is...A technicaldomain revolvingaround buildingand managinginfrastructureprogrammatically          ...
Enable the reconstruction of the business from nothing     but a source code  repository, an applicationdata backup, and b...
Understand the goalsAutomationStabilityScalabilitySecurity              Copyright © 2010 Opscode, Inc - All Rights Reserve...
Security Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/anonymouscollective/2291896028/...
Policy Compliance      Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/gi/168406150/   11
Policy ComplianceNot a silver bulletBest practices, applied              Copyright © 2010 Opscode, Inc - All Rights Reserv...
template "#{home_dir}/.ssh/authorized_keys" do  source "authorized_keys.erb"  owner u[uid]  group u[id]  mode "0600"  vari...
Enable the business      Copyright © 2010 Opscode, Inc - All Rights Reserved   14
Auditing andDocumentation    Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/hryckowian/...
Auditing and DocumentationDeclarative languageVersion control              Copyright © 2010 Opscode, Inc - All Rights Rese...
package "ntp" do  action :installendservice "ntp" do  action :startendtemplate "/etc/ntp.conf" do  source "ntp.conf.erb"  ...
% git log ntp/recipes/default.rbcommit a5991547215757ed25e2944f93faa437fad1e5a5Author: jtimberman <joshua@opscode.com>Date...
Its like built-in change      management         Copyright © 2010 Opscode, Inc - All Rights Reserved   19
Logging subsystems      Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/mikeyworld/35880...
Defense in Depth is hard         Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/furrysc...
Managing Infrastructure Is Hard                                                                            Has Always Been...
Defense in Depth...Configuration layersAccess controlsIncident handling  ‣ Rebuilding/redeployment                     Copy...
You need system   integration     Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/opalss...
Copyright © 2010 Opscode, Inc - All Rights Reserved                            25http://www.brooklynstreetart.com/theBlog/...
At a High Level...‣ A library for configuration management‣ A configuration management system‣ A systems integration platfor...
Open source and  community     Copyright © 2010 Opscode, Inc - All Rights Reserved   27
Copyright © 2010 Opscode, Inc - All Rights Reserved   28
RubyCopyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/thisisbossi/3526698689/   29
Debian                                                                  Mac OS X                                 SuSE     ...
PrinciplesIdempotentData-drivenSane defaultsTMTOWTDI             Copyright © 2010 Opscode, Inc - All Rights Reserved   31
Multiple applications of an operation do not  change the result         Copyright © 2010 Opscode, Inc - All Rights Reserve...
We start with APIs, you     supply data        Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/...
option :json_attribs,    :short => "-j JSON_ATTRIBS",    :long => "--json-attributes JSON_ATTRIBS",    :description => "Lo...
Tim Toady is a Perl      motto      Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/lida...
Chef... Howdoes it work?        Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/38299630...
Chef Client runs on your        systems         Copyright © 2010 Opscode, Inc - All Rights Reserved   37
Clients talk to a Chef       Server        Copyright © 2010 Opscode, Inc - All Rights Reserved   38
Clients authenticate   with RSA keys       Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/phot...
We call each system you   configure a Node        Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.co...
Nodes have Attributes                                          Kernel info!{  "kernel": {    "machine": "x86_64",    "name...
The server stores JSON  data about Nodes        Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com...
Attributes are         Searchable$ knife search node ‘platform:mac_os_x’  search(:node, ‘platform:mac_os_x’)              ...
Nodes have a Run ListWhat Roles or Recipes to apply          in Order           Copyright © 2010 Opscode, Inc - All Rights...
Nodes have Roles     Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/photos/laenulfean/37439804...
Roles have a Run ListWhat Roles or Recipes to apply          in Order           Copyright © 2010 Opscode, Inc - All Rights...
name "webserver"description "Systems that serve HTTP traffic"run_list(  "role[base]",                                     ...
Roles are Searchable$ knife search role ‘max_children:50’  search(:role, ‘max_children:50’)              Copyright © 2010 ...
Chef managesResources on Nodes      Copyright © 2010 Opscode, Inc - All Rights Reserved   49
remote_file                                         linkcookbook_file                                                     ...
Resources take action  through Providers       Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/...
ResourcesPlatformProvider http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/
Recipes are lists of   Resources      http://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/           Copyright...
Order Matters    Copyright © 2010 Opscode, Inc - All Rights Reserved   54
How does it help mesecure my systems?       Copyright © 2010 Opscode, Inc - All Rights Reserved   55
Automate yourinfrastructureconfiguration    Copyright © 2010 Opscode, Inc - All Rights Reserved   http://www.flickr.com/phot...
The Benefits of AutomationEfficiencyEconomicsScalability              Copyright © 2010 Opscode, Inc - All Rights Reserved   57
Chef automation workflowDefine your policyWrite policy as simple codeDeploy configuration in testingDeploy in production     ...
Infrastructure as CodeSource repositoryApplication data backupBare metal resources               Copyright © 2010 Opscode,...
Leverage a communityOpen Source softwareOperations expertsTeam collaboration             Copyright © 2010 Opscode, Inc - A...
Not everything can be automatedSecurity people say “No”.This is as much culture as policy.Automating humans is hard.      ...
Resources/Questionswww.opscode.com/chefIRC and Mailing lists  ‣ irc.freenode.net #chef  ‣ lists.opscode.comTwitter:  ‣ @op...
Upcoming SlideShare
Loading in...5
×

Cooking security sans@night

1,361

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,361
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cooking security sans@night

  1. 1. Cooking SecuritySpeaker:Joshua Timberman Technical Evangelist ‣ joshua@opscode.com ‣ @jtimberman ‣ www.opscode.com Copyright © 2010 Opscode, Inc - All Rights Reserved 1
  2. 2. % whoamiSystem AdministratorWeb OperationsOpscode CookbooksTraining and Support Copyright © 2010 Opscode, Inc - All Rights Reserved 2
  3. 3. Developers?Systems Administrators?“Business” People? http://www.flickr.com/photos/timyates/2854357446/sizes/l/ Copyright © 2010 Opscode, Inc - All Rights Reserved 3
  4. 4. Just what isConfigurationManagement? Copyright © 2010 Opscode, Inc - All Rights Reserved 4
  5. 5. A picture is worth... Copyright © 2010 Opscode, Inc - All Rights Reserved 5
  6. 6. A thousand words! “... Is a field of management that focuses on establishing and maintaining consistency of a systems or products performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org Copyright © 2010 Opscode, Inc - All Rights Reserved 6
  7. 7. Infrastructure as Code is...A technicaldomain revolvingaround buildingand managinginfrastructureprogrammatically http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 7
  8. 8. Enable the reconstruction of the business from nothing but a source code repository, an applicationdata backup, and bare metal resources. Copyright © 2010 Opscode, Inc - All Rights Reserved 8
  9. 9. Understand the goalsAutomationStabilityScalabilitySecurity Copyright © 2010 Opscode, Inc - All Rights Reserved 9
  10. 10. Security Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/anonymouscollective/2291896028/ 10
  11. 11. Policy Compliance Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/gi/168406150/ 11
  12. 12. Policy ComplianceNot a silver bulletBest practices, applied Copyright © 2010 Opscode, Inc - All Rights Reserved 12
  13. 13. template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u[uid] group u[id] mode "0600" variables :ssh_keys => u[ssh_keys]end %<%= group %> ALL=(ALL) NOPASSWD: ALL Copyright © 2010 Opscode, Inc - All Rights Reserved 13
  14. 14. Enable the business Copyright © 2010 Opscode, Inc - All Rights Reserved 14
  15. 15. Auditing andDocumentation Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/hryckowian/2176673733/ 15
  16. 16. Auditing and DocumentationDeclarative languageVersion control Copyright © 2010 Opscode, Inc - All Rights Reserved 16
  17. 17. package "ntp" do action :installendservice "ntp" do action :startendtemplate "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644end Copyright © 2010 Opscode, Inc - All Rights Reserved 17
  18. 18. % git log ntp/recipes/default.rbcommit a5991547215757ed25e2944f93faa437fad1e5a5Author: jtimberman <joshua@opscode.com>Date: Sun Sep 27 23:39:05 2009 -0600 cook-188, update copyright notices, regen metadata toocommit 524ee910f391acadec52362419ce27dbdcdb9969Author: jtimberman <joshua@opscode.com>Date: Wed Mar 4 17:08:10 2009 -0700 cook-13, add ntp cookbook Copyright © 2010 Opscode, Inc - All Rights Reserved 18
  19. 19. Its like built-in change management Copyright © 2010 Opscode, Inc - All Rights Reserved 19
  20. 20. Logging subsystems Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/mikeyworld/3588020070/ 20
  21. 21. Defense in Depth is hard Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/furryscalyman/2081849769/ 21
  22. 22. Managing Infrastructure Is Hard Has Always Been Big players 1980 1989 • Reach just a handful of large, enterprise customers 1999 • Require custom implementations with large professional services bills • Deployed exclusively on-premise 2001 • Acquired by companies with large consulting organizations (IBM, HP, CA) Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
  23. 23. Defense in Depth...Configuration layersAccess controlsIncident handling ‣ Rebuilding/redeployment Copyright © 2010 Opscode, Inc - All Rights Reserved 23
  24. 24. You need system integration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/opalsson/3773629074/ 24
  25. 25. Copyright © 2010 Opscode, Inc - All Rights Reserved 25http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
  26. 26. At a High Level...‣ A library for configuration management‣ A configuration management system‣ A systems integration platform‣ An API for your entire Infrastructure http://www.flickr.com/photos/asten/2159525309/sizes/l/
  27. 27. Open source and community Copyright © 2010 Opscode, Inc - All Rights Reserved 27
  28. 28. Copyright © 2010 Opscode, Inc - All Rights Reserved 28
  29. 29. RubyCopyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/thisisbossi/3526698689/ 29
  30. 30. Debian Mac OS X SuSE CentOS Gentoo Solaris ArchLinuxOpenBSD Platforms Windows FreeBSD Ubuntu Red Hat Fedora Scientific Copyright © 2010 Opscode, Inc - All Rights Reserved 30
  31. 31. PrinciplesIdempotentData-drivenSane defaultsTMTOWTDI Copyright © 2010 Opscode, Inc - All Rights Reserved 31
  32. 32. Multiple applications of an operation do not change the result Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/redjar/360111326/ 32
  33. 33. We start with APIs, you supply data Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/ninjanoodles/153893226/ 33
  34. 34. option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a Defaults are sane, butJSON file or URL", :proc => nil option :node_name, changed easily :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for thisclient", :proc => nil Copyright © 2010 Opscode, Inc - All Rights Reserved 34
  35. 35. Tim Toady is a Perl motto Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/lidarose/225156612 35
  36. 36. Chef... Howdoes it work? Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/38299630@N05/3635356091/ 36
  37. 37. Chef Client runs on your systems Copyright © 2010 Opscode, Inc - All Rights Reserved 37
  38. 38. Clients talk to a Chef Server Copyright © 2010 Opscode, Inc - All Rights Reserved 38
  39. 39. Clients authenticate with RSA keys Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/debbcollins/3401944550/ 39
  40. 40. We call each system you configure a Node Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/peterrosbjerg/3913766224/ 40
  41. 41. Nodes have Attributes Kernel info!{ "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010;root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", Platform info! "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", Hostname and IP! "uptime_seconds": 1619358} Copyright © 2010 Opscode, Inc - All Rights Reserved 41
  42. 42. The server stores JSON data about Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/jurvetson/12688704/ 42
  43. 43. Attributes are Searchable$ knife search node ‘platform:mac_os_x’ search(:node, ‘platform:mac_os_x’) Copyright © 2010 Opscode, Inc - All Rights Reserved 43
  44. 44. Nodes have a Run ListWhat Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 44
  45. 45. Nodes have Roles Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/ 45
  46. 46. Roles have a Run ListWhat Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 46
  47. 47. name "webserver"description "Systems that serve HTTP traffic"run_list( "role[base]", Can include "recipe[apache2]", other roles! "recipe[apache2::mod_ssl]")default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] })override_attributes( "apache" => { "max_children" => "50" }) Copyright © 2010 Opscode, Inc - All Rights Reserved 47
  48. 48. Roles are Searchable$ knife search role ‘max_children:50’ search(:role, ‘max_children:50’) Copyright © 2010 Opscode, Inc - All Rights Reserved 48
  49. 49. Chef managesResources on Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved 49
  50. 50. remote_file linkcookbook_file service ruby_blocktemplate Chef knows many different Resources execute user bash git logpackage deploy http_request Copyright © 2010 Opscode, Inc - All Rights Reserved 50
  51. 51. Resources take action through Providers Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
  52. 52. ResourcesPlatformProvider http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/
  53. 53. Recipes are lists of Resources http://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 53
  54. 54. Order Matters Copyright © 2010 Opscode, Inc - All Rights Reserved 54
  55. 55. How does it help mesecure my systems? Copyright © 2010 Opscode, Inc - All Rights Reserved 55
  56. 56. Automate yourinfrastructureconfiguration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/pickinjim/525129498 56
  57. 57. The Benefits of AutomationEfficiencyEconomicsScalability Copyright © 2010 Opscode, Inc - All Rights Reserved 57
  58. 58. Chef automation workflowDefine your policyWrite policy as simple codeDeploy configuration in testingDeploy in production Copyright © 2010 Opscode, Inc - All Rights Reserved 58
  59. 59. Infrastructure as CodeSource repositoryApplication data backupBare metal resources Copyright © 2010 Opscode, Inc - All Rights Reserved 59
  60. 60. Leverage a communityOpen Source softwareOperations expertsTeam collaboration Copyright © 2010 Opscode, Inc - All Rights Reserved 60
  61. 61. Not everything can be automatedSecurity people say “No”.This is as much culture as policy.Automating humans is hard. Copyright © 2010 Opscode, Inc - All Rights Reserved 61
  62. 62. Resources/Questionswww.opscode.com/chefIRC and Mailing lists ‣ irc.freenode.net #chef ‣ lists.opscode.comTwitter: ‣ @opscode, #opschef ‣ @jtimbermanQuestions? Copyright © 2010 Opscode, Inc - All Rights Reserved 62
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×