Cooking security sans@night
Upcoming SlideShare
Loading in...5
×
 

Cooking security sans@night

on

  • 1,455 views

 

Statistics

Views

Total Views
1,455
Views on SlideShare
1,455
Embed Views
0

Actions

Likes
1
Downloads
34
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cooking security sans@night Cooking security sans@night Presentation Transcript

    • Cooking SecuritySpeaker:Joshua Timberman Technical Evangelist ‣ joshua@opscode.com ‣ @jtimberman ‣ www.opscode.com Copyright © 2010 Opscode, Inc - All Rights Reserved 1
    • % whoamiSystem AdministratorWeb OperationsOpscode CookbooksTraining and Support Copyright © 2010 Opscode, Inc - All Rights Reserved 2
    • Developers?Systems Administrators?“Business” People? http://www.flickr.com/photos/timyates/2854357446/sizes/l/ Copyright © 2010 Opscode, Inc - All Rights Reserved 3
    • Just what isConfigurationManagement? Copyright © 2010 Opscode, Inc - All Rights Reserved 4
    • A picture is worth... Copyright © 2010 Opscode, Inc - All Rights Reserved 5
    • A thousand words! “... Is a field of management that focuses on establishing and maintaining consistency of a systems or products performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org Copyright © 2010 Opscode, Inc - All Rights Reserved 6
    • Infrastructure as Code is...A technicaldomain revolvingaround buildingand managinginfrastructureprogrammatically http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 7
    • Enable the reconstruction of the business from nothing but a source code repository, an applicationdata backup, and bare metal resources. Copyright © 2010 Opscode, Inc - All Rights Reserved 8
    • Understand the goalsAutomationStabilityScalabilitySecurity Copyright © 2010 Opscode, Inc - All Rights Reserved 9
    • Security Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/anonymouscollective/2291896028/ 10
    • Policy Compliance Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/gi/168406150/ 11
    • Policy ComplianceNot a silver bulletBest practices, applied Copyright © 2010 Opscode, Inc - All Rights Reserved 12
    • template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u[uid] group u[id] mode "0600" variables :ssh_keys => u[ssh_keys]end %<%= group %> ALL=(ALL) NOPASSWD: ALL Copyright © 2010 Opscode, Inc - All Rights Reserved 13
    • Enable the business Copyright © 2010 Opscode, Inc - All Rights Reserved 14
    • Auditing andDocumentation Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/hryckowian/2176673733/ 15
    • Auditing and DocumentationDeclarative languageVersion control Copyright © 2010 Opscode, Inc - All Rights Reserved 16
    • package "ntp" do action :installendservice "ntp" do action :startendtemplate "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644end Copyright © 2010 Opscode, Inc - All Rights Reserved 17
    • % git log ntp/recipes/default.rbcommit a5991547215757ed25e2944f93faa437fad1e5a5Author: jtimberman <joshua@opscode.com>Date: Sun Sep 27 23:39:05 2009 -0600 cook-188, update copyright notices, regen metadata toocommit 524ee910f391acadec52362419ce27dbdcdb9969Author: jtimberman <joshua@opscode.com>Date: Wed Mar 4 17:08:10 2009 -0700 cook-13, add ntp cookbook Copyright © 2010 Opscode, Inc - All Rights Reserved 18
    • Its like built-in change management Copyright © 2010 Opscode, Inc - All Rights Reserved 19
    • Logging subsystems Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/mikeyworld/3588020070/ 20
    • Defense in Depth is hard Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/furryscalyman/2081849769/ 21
    • Managing Infrastructure Is Hard Has Always Been Big players 1980 1989 • Reach just a handful of large, enterprise customers 1999 • Require custom implementations with large professional services bills • Deployed exclusively on-premise 2001 • Acquired by companies with large consulting organizations (IBM, HP, CA) Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
    • Defense in Depth...Configuration layersAccess controlsIncident handling ‣ Rebuilding/redeployment Copyright © 2010 Opscode, Inc - All Rights Reserved 23
    • You need system integration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/opalsson/3773629074/ 24
    • Copyright © 2010 Opscode, Inc - All Rights Reserved 25http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
    • At a High Level...‣ A library for configuration management‣ A configuration management system‣ A systems integration platform‣ An API for your entire Infrastructure http://www.flickr.com/photos/asten/2159525309/sizes/l/
    • Open source and community Copyright © 2010 Opscode, Inc - All Rights Reserved 27
    • Copyright © 2010 Opscode, Inc - All Rights Reserved 28
    • RubyCopyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/thisisbossi/3526698689/ 29
    • Debian Mac OS X SuSE CentOS Gentoo Solaris ArchLinuxOpenBSD Platforms Windows FreeBSD Ubuntu Red Hat Fedora Scientific Copyright © 2010 Opscode, Inc - All Rights Reserved 30
    • PrinciplesIdempotentData-drivenSane defaultsTMTOWTDI Copyright © 2010 Opscode, Inc - All Rights Reserved 31
    • Multiple applications of an operation do not change the result Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/redjar/360111326/ 32
    • We start with APIs, you supply data Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/ninjanoodles/153893226/ 33
    • option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a Defaults are sane, butJSON file or URL", :proc => nil option :node_name, changed easily :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for thisclient", :proc => nil Copyright © 2010 Opscode, Inc - All Rights Reserved 34
    • Tim Toady is a Perl motto Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/lidarose/225156612 35
    • Chef... Howdoes it work? Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/38299630@N05/3635356091/ 36
    • Chef Client runs on your systems Copyright © 2010 Opscode, Inc - All Rights Reserved 37
    • Clients talk to a Chef Server Copyright © 2010 Opscode, Inc - All Rights Reserved 38
    • Clients authenticate with RSA keys Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/debbcollins/3401944550/ 39
    • We call each system you configure a Node Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/peterrosbjerg/3913766224/ 40
    • Nodes have Attributes Kernel info!{ "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010;root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", Platform info! "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", Hostname and IP! "uptime_seconds": 1619358} Copyright © 2010 Opscode, Inc - All Rights Reserved 41
    • The server stores JSON data about Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/jurvetson/12688704/ 42
    • Attributes are Searchable$ knife search node ‘platform:mac_os_x’ search(:node, ‘platform:mac_os_x’) Copyright © 2010 Opscode, Inc - All Rights Reserved 43
    • Nodes have a Run ListWhat Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 44
    • Nodes have Roles Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/ 45
    • Roles have a Run ListWhat Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 46
    • name "webserver"description "Systems that serve HTTP traffic"run_list( "role[base]", Can include "recipe[apache2]", other roles! "recipe[apache2::mod_ssl]")default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] })override_attributes( "apache" => { "max_children" => "50" }) Copyright © 2010 Opscode, Inc - All Rights Reserved 47
    • Roles are Searchable$ knife search role ‘max_children:50’ search(:role, ‘max_children:50’) Copyright © 2010 Opscode, Inc - All Rights Reserved 48
    • Chef managesResources on Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved 49
    • remote_file linkcookbook_file service ruby_blocktemplate Chef knows many different Resources execute user bash git logpackage deploy http_request Copyright © 2010 Opscode, Inc - All Rights Reserved 50
    • Resources take action through Providers Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
    • ResourcesPlatformProvider http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/
    • Recipes are lists of Resources http://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 53
    • Order Matters Copyright © 2010 Opscode, Inc - All Rights Reserved 54
    • How does it help mesecure my systems? Copyright © 2010 Opscode, Inc - All Rights Reserved 55
    • Automate yourinfrastructureconfiguration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/pickinjim/525129498 56
    • The Benefits of AutomationEfficiencyEconomicsScalability Copyright © 2010 Opscode, Inc - All Rights Reserved 57
    • Chef automation workflowDefine your policyWrite policy as simple codeDeploy configuration in testingDeploy in production Copyright © 2010 Opscode, Inc - All Rights Reserved 58
    • Infrastructure as CodeSource repositoryApplication data backupBare metal resources Copyright © 2010 Opscode, Inc - All Rights Reserved 59
    • Leverage a communityOpen Source softwareOperations expertsTeam collaboration Copyright © 2010 Opscode, Inc - All Rights Reserved 60
    • Not everything can be automatedSecurity people say “No”.This is as much culture as policy.Automating humans is hard. Copyright © 2010 Opscode, Inc - All Rights Reserved 61
    • Resources/Questionswww.opscode.com/chefIRC and Mailing lists ‣ irc.freenode.net #chef ‣ lists.opscode.comTwitter: ‣ @opscode, #opschef ‣ @jtimbermanQuestions? Copyright © 2010 Opscode, Inc - All Rights Reserved 62