Successfully reported this slideshow.
Your SlideShare is downloading. ×

Hardening Your Config Management - Security and Attack Vectors in Config Management

Ad

HARDENING YOUR CONFIG
MANAGEMENT
SECURITY AND ATTACK VECTORS IN
CONFIG MANAGEMENT

Ad

WHO AM I?
> Peter Souter
> @petersouter
> @petems - IRC/GitHub
> Professional Services Engineer at
Puppet Labs
> Work with...

Ad

THIS IS MY 3RD FOSDEM!

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
Lock it down
Lock it down
Loading in …3
×

Check these out next

1 of 131 Ad
1 of 131 Ad

Hardening Your Config Management - Security and Attack Vectors in Config Management

Download to read offline

Configuration management is a great tool for helping with hardening and securing servers. But with any addition of new technology comes a new attack vector: Who watches the watchers?

Security is painful. Luckily the invention of configuration management tools has made this process easier, by allowing repeatable configuration for common hardening. However there comes a catch-22: How do we harden the configuration management itself?

When you have a tool that enables you to change systems at a fundamental level, it's a fairly tempting target for malicious agents, and one that would cause a lot of problems if compromised.

We'll be discussing some general patterns we can use to mitigate these problems: - Whitelisting "master" API's - Encrypting sensitive data - Adding a security element to code review

And we'll talk about some application specific options for some of most popular tools out there, such as Puppet, Chef, Ansible, cfengine and Salt.

Configuration management is a great tool for helping with hardening and securing servers. But with any addition of new technology comes a new attack vector: Who watches the watchers?

Security is painful. Luckily the invention of configuration management tools has made this process easier, by allowing repeatable configuration for common hardening. However there comes a catch-22: How do we harden the configuration management itself?

When you have a tool that enables you to change systems at a fundamental level, it's a fairly tempting target for malicious agents, and one that would cause a lot of problems if compromised.

We'll be discussing some general patterns we can use to mitigate these problems: - Whitelisting "master" API's - Encrypting sensitive data - Adding a security element to code review

And we'll talk about some application specific options for some of most popular tools out there, such as Puppet, Chef, Ansible, cfengine and Salt.

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Similar to Hardening Your Config Management - Security and Attack Vectors in Config Management (20)

Advertisement
Advertisement

Hardening Your Config Management - Security and Attack Vectors in Config Management

  1. 1. HARDENING YOUR CONFIG MANAGEMENT SECURITY AND ATTACK VECTORS IN CONFIG MANAGEMENT
  2. 2. WHO AM I? > Peter Souter > @petersouter > @petems - IRC/GitHub > Professional Services Engineer at Puppet Labs > Work with customers when they buy services and teach Puppet classes
  3. 3. THIS IS MY 3RD FOSDEM!
  4. 4. WHAT IS THIS ALL ABOUT?HTTPS://FLIC.KR/P/BHYT8B
  5. 5. SECURITY IS HARD AND UNDER APPRECIATED! HTTPS://TWITTER.COM/PETECHESLOCK/STATUS/595617204273618944
  6. 6. SPECIFIC REQUIREMENTS MULTIPLE SYSTEMS EVERY OS HAS IT'S OWN QUIRKS AND NUANCES
  7. 7. CONFIG MANAGEMENT IS HERE TO SAVE THE DAY!
  8. 8. HOWEVER...
  9. 9. QUIS CUSTODIET IPSOS CUSTODES?
  10. 10. A SYSTEM CAPABLE OF PERFORMING CHANGES FOR CONFIGURATION ACROSS THOUSANDS OF SERVERS...
  11. 11. COULD CAUSE A LOT OF DAMAGE!
  12. 12. CONFIG MANAGEMENT: A PRETTY BIG ATTACK VECTOR....
  13. 13. HOW DO WE HARDEN CONFIG MANAGEMENT ITSELF?
  14. 14. DON'T WANT TO FOCUS TOO MUCH ON THE TOOLS THEMSELVES
  15. 15. I HAVE BIASES BOTH CONSCIOUS AND SUBCONSCIOUS
  16. 16. THERE IS NO ONE-SIZE- FITS-ALL TO HARDEN CONFIG MANAGEMENT!
  17. 17. IT’S A LOT OF CHANGES TO PROCESSES
  18. 18. PEOPLE ARE HARDER TO CHANGE THAN COMPUTERS!
  19. 19. ACCEPT THAT YOU WILL FAIL, PLAN ACCORDINGLY
  20. 20. THE BADDIES HAVE MORE TIME/MONEY/ENERGY THAN YOU DO!
  21. 21. YOU WILL FAIL AT SOME POINT. YOU NEED TO FAIL SECURELY
  22. 22. A QUICK SURVEY
  23. 23. WHO HERE USES... ANSIBLE CFENGINE CHEF PUPPET SALTSTACK
  24. 24. WHERE TO START?
  25. 25. FIRST 3 RESULTS ARE FROM A COMPANY THAT RHYMES WITH RIPTIRE...
  26. 26. 4TH RESULT: OWASP PRINCIPLES
  27. 27. 5TH RESULT...
  28. 28. 8TH RESULT: PRETTY GOOD BLOG POST
  29. 29. STILL, NOT SUPER IN- DEPTH...
  30. 30. GUESS I'LL HAVE TO ACTUALLY DO SOME RESEARCH...
  31. 31. DATA
  32. 32. IT'S EASY TO LEAK DATA...
  33. 33. ESPECIALLY SOMETHING YOU CAN LOOK FOR AUTOMATICALLY
  34. 34. BEST PRACTICE SEPARATION OF CONCERNS
  35. 35. REMOVE DATA FROM CODE ESPECIALLY COMPANY SPECIFIC DATA!
  36. 36. DATA ABSTRACTION: PUPPET - HIERA CHEF - DATA BAGS/ATTRIBUTES ANSIBLE - ROLES SALT - GRAINS/PILLAR
  37. 37. BAD
  38. 38. GOOD
  39. 39. ADVANTAGE: NOT ONLY MORE SECURE, CLEANER CODE THAT'S MORE REUSABLE!
  40. 40. THEORETICAL SCENARIO:
  41. 41. YOU SHOULD BE ABLE TO RELEASE MOST CODE YOU WRITE PUBLICALLY WITHOUT ANY SORT OF SECURITY ISSUES
  42. 42. ANYTHING SENSITIVE SHOULD BE KEPT IN THE DATA ABSTRACTION LAYER
  43. 43. EXAMPLE: GDS
  44. 44. HTTPS://GITHUB.COM/ALPHAGOV/ GOVUK-PUPPET HTTPS:// GDSTECHNOLOGY.BLOG.GOV.UK/ 2016/01/19/OPENING-GOV-UKS- PUPPET-REPOSITORY/
  45. 45. YOUR DATA SHOULD IS NOW SEPARATED. HOORAY!
  46. 46. BUT IT'S PLAINTEXT. BOO!
  47. 47. ENCRYPTION
  48. 48. ENCRYPTING DATA WITH YOUR APPLICATION SPECIFIC TOOLS:
  49. 49. PUPPET - HIERA-EYAML CHEF - CHEF-VAULT ANSIBLE - ANSIBLE VAULT SALT - SALT.MODULES.GPG CFENGINE - CF-KEYCRYPT
  50. 50. TOOL-SPECIFIC VAULTS ARE GREAT, BUT ARE OFTEN LIMITED IN FUNCTIONALITY OUTSIDE THAT TOOL.
  51. 51. YOU DON'T WANT TO STORE THE SAME PASSWORD IN 10 DIFFERENT SYSTEMS IF YOU CAN HELP IT THAT'S 10X MORE THAT NEEDS TO BE SECURED
  52. 52. EXTERNAL SECRET SERVERS?
  53. 53. OPEN SOURCE POTENTIALS CHOICES: OPENSTACK'S BARBICAN CLOUDFLARE'S REDOCTOBER HASHICOP'S VAULT
  54. 54. GOING DEEPER:
  55. 55. SECURING DATA WITH SOURCE CONTROL
  56. 56. "I wanted to make a configuration management repository open for others to look at and contribute to (à la Wikimedia's Puppet repository)...
  57. 57. However, the repository contained secret material, like SSL keys and passwords...
  58. 58. git-crypt was developed so the secret material could be protected without having to remove it from the repository (which is what Wikimedia had to do). - ANDREW AYER
  59. 59. GIT-CRYPT? HTTPS://WWW.AGWA.NAME/ PROJECTS/GIT-CRYPT/
  60. 60. GIT-SUBMODULES OR SEPARATE REPOS
  61. 61. STAY IN (VERSION) CONTROL
  62. 62. GATE CONFIG MANAGEMENT CHANGES BEHIND VERSION CONTROL
  63. 63. REMEMBER TO KEEP COMMITS CLEAN AS WELL!
  64. 64. commit 88a055c4c3dcec34d5r9054011963649be89d49c Merge: 783d425 1743488 Author: Peter Souter <petems@users.noreply.github.com> Date: Mon April 1 23:47:43 2030 +0000 Turned off SSL, we don't need that right? also password is now password123
  65. 65. RBAC FOR GIT REPOS CONTAINING THE DATA
  66. 66. RBAC
  67. 67. SPLIT ACCESS TO CONFIG MANAGEMENT TOOLS BASED ON NEED
  68. 68. MOST APPLICATIONS HAVE SOME FORM OF RBAC HOOKS TO ANOTHER AUTHORIZED SYSTEM (LDAP, AD, ETC.)
  69. 69. REVIEW PROCESSES (AUTOMATED AND MANUAL)
  70. 70. AUTOMATED SPEC TESTING AUTOMATED TESTING SUITES LINTING/SYNTAX CHECKING
  71. 71. MANUAL CODE REVIEWS GET SECURITY TEAM INVOLVED IN THE PROCESSES!
  72. 72. WORK WITH AUDITORS
  73. 73. PEOPLE LOVE TO HATE AUDITORS
  74. 74. ADVERSARIAL ENVIRONMENTS ARE NOT FUN
  75. 75. IF YOU HAVE A GOOD WORKING RELATIONSHIP WITH THEM, THEY'RE LIKE AN ADDITION TO YOUR TEAM.
  76. 76. LET'S FACE IT, YOU'LL HAVE TO DEAL WITH THEM ANYWAY, SO YOU MIGHT AS WELL MAKE IT ENJOYABLE!
  77. 77. ASK AROUND
  78. 78. SOFT SKILL/CULTURAL SOLUTION
  79. 79. COMPARE YOUR SECURITY WITH OTHERS WHEN POSSIBLE
  80. 80. A SECURITY MODEL MADE IN A VACUUM IS A SMELL
  81. 81. IF YOU'RE A CUSTOMER, ASK YOUR VENDOR IF YOU'RE A FOSS USER, ASK ON MAILING LISTS
  82. 82. GAME DAYS AND DRILLS
  83. 83. IF SOMEONE HAD ACCESS TO THE VARIOUS PARTS OF YOUR CONFIG MANAGEMENT INFRA...
  84. 84. HOW MUCH DAMAGE COULD THEY DO? HOW FAST COULD YOU REVOKE ACCESS? HOW LONG WOULD IT TAKE YOU TO NOTICE?
  85. 85. MONITOR, DON'T JUST LOG
  86. 86. GET A BASELINE OF WHAT YOUR CONFIG MANAGEMENT DEPLOYS LOOK LIKE
  87. 87. ELK, STATSD, RIEMANN, COLLECTD, ETC.
  88. 88. GET DATA ON WHAT LOOKS SUSPICIOUS
  89. 89. ACTIVITY WHEN YOU DON'T EXPECT IT 4XX, 5XX ERRORS FROM YOUR CONFIG MANAGEMENT INFRA UNEXPLAINED INCREASES IN THE TEMPERATURE OF YOUR MACHINES IN THE DATA CENTRE GENERAL ERRORS IN VARIOUS LOGS
  90. 90. COULD BE MALICIOUS, COULD BE ACCIDENTAL, COULD BE A BUG...
  91. 91. ALL OF WHICH YOU SHOULD KNOW ABOUT!
  92. 92. REDUCE SURFACE LEVEL OF ATTACK
  93. 93. NOT SECURITY THROUGH OBSCURITY!
  94. 94. A BASIC EXAMPLE AT THE APPLICATION LEVEL
  95. 95. > Chef: sensitive: true > Puppet: show_diff=false > Ansible: no_log: True > Salt: --state-verbose=false
  96. 96. SECURITY BASELINE
  97. 97. USE THE SAME SECURITY BASELINE FOR ANY SORT OF SYSTEM: NO DIRECT INTERNET ACCESS UNLESS ABSOLUTELY NECESSARY USE BASTION HOSTS FOR DIRECT INTERNET ACCESS MIRROR REPOS AND ARTIFACTS KEEP PACKAGES UP TO DATE AND PATCHED SENSIBLE FIREWALL RULES
  98. 98. HARDEN CONFIG MANAGEMENT INFRASTRUCTURE WITH CONFIG MANAGEMENT!
  99. 99. CENTER FOR INTERNET SECURITY BENCHMARKS
  100. 100. HARDENING.IO
  101. 101. SOME 3 LETTER AGENCIES HAVE EVEN RELEASED THEIR CONFIG MANAGEMENT CODE...
  102. 102. IN LIGHT OF RECENT EVENTS, THAT MIGHT BE NOT SUCH A GREAT THING BUT HEY, IT'S CONFIG MANAGEMENT, SO YOU CAN INSPECT AND ADAPT WHERE NECESSARY!
  103. 103. SSH
  104. 104. PRIMARILY FOR ANSIBLE
  105. 105. BUT SSH CAN BE USED FOR OTHER TOOLS AS WELL...
  106. 106. PUPPET - SUPPLY DROP/CAPISTRANO CHEF - KNIFE SOLO SALT - SALT SSH CUSTOM MADE SSH-LOOPS WRAPPING LOCAL MODES FOR TOOLS
  107. 107. SSH HARDENING STANDARDS > Whitelisted access > Bastion hosts > Restrict users > Increase key strength > Rotate keys > Pre-populated knownhosts
  108. 108. HARDEN YOUR SSH WITH CONFIG MANAGEMENT! :)
  109. 109. IF YOU'RE USING ~/.ssh/id_rsa FOR EVERYTHING... YOU'RE DOING IT WRONG :(
  110. 110. DEEPER SSH HARDENING...
  111. 111. SSH KEYS ON HARDWARE YUBIKEY SMARTCARD
  112. 112. THOUGHT EXPERIMENT: DISABLE SSH COMPLETELY?
  113. 113. CONCLUSION > Get your data out of your code > Encrypt it and control access > Most normal security conventions apply > Follow best practices from communities and organizations > Auditing and gating help > Work together! :)
  114. 114. GOING TO CONFIG MANAGEMENT CAMP?
  115. 115. QUESTIONS? IDEAS? HOW ARE YOU HARDENING YOUR CONFIG MANAGEMENT?

×