Automating secure server baselines with Chef

© 2013 CloudPassage Inc.! 1!
Automating Secure Server
Baselines with Chef
a.k.a. “Making Fixing Stupid Stuff Easy”
!
Andrew Hay!
andrew@cloudpassage.com!
@andrewsmhay | @cloudpassage!
#ChefConf / #CloudSec

Topics for today
Why the cloud makes security hard
Why secure the OS?
What is a baseline?
How Chef can be used to create
secure and repeatable server and
application baselines

Who are you?
•  My name is Andrew Hay, and I am a chef…!

Who are you?
•  Andrew Hay, Director of Applied Security
Research at CloudPassage, Inc.!
•  Former!
–  Senior Industry Analyst @ 451 Research
–  Security Analyst @ UofL and a bank in Bermuda
–  Product, Program and Engineering Manager @ Q1 Labs

Goals of
moving to
cloud fail
to mesh
with
security
✔�
✔�

dmz dmz
corecore
Firewall
Firewall
DB
Load
Balancer
Auth
Server
App
Server
DB
Load
Balancer
App
Server
DB
We used to rely on perimeter defenses

DB
Load
Balancer
App
Server
App
Server
But where is the perimeter in cloud?
Auth
Server
DB
Load
Balancer
DB
public cloud

public cloud
The server is adjacent to the perimeter
Load
Balancer
App
Server
App
Server
DB
Master
!�
!�

Why secure the OS?
•  A hardened OS often is the last line of
defense in the event of a security
compromise.!
•  It is important to note that hardening is
not a panacea for security. !
–  It is just another layer in a good security
model.
•  By deﬁnition, any machine that is
accessible on a network and running
services is potentially insecure.!
–  (i.e. pretty much any server)

“Andrew’s Law of Servers”
•  There are 3 kinds of servers:!

1) Secure servers

2) Insecure servers
3) Servers that you think are secure…
server
server
!�
server
?

Servers are vulnerable
•  National Vulnerability Database search of CVE and CCE
vulnerabilities:!
–  Ubuntu
•  Last 3 years: 1,015 matching records!
•  Last 3 months: 145 matching records!
–  Red Hat Enterprise Linux
•  Last 3 years: 50 matching records!
–  Microsoft Windows (server)
•  Last 3 years: 319 matching records!
•  NVD reported 5, 715 vulnerabilities in 2012.!
•  This means that last year about 16 new security vulnerabilities were
discovered each day. !

What is a baseline?
•  base·line /ˈbāsˌlīn/!
–  A minimum or starting point used for comparisons.
•  Think of it as the ‘bare minimum’ conﬁguration
for:!
–  Server settings
–  Application conﬁgurations
–  Running services
–  Etc.
•  Ask yourself:!
–  “What do I want of my servers?”

What if I only secure one or two things?

www
Running with baselines…
Gold Master
www wwwwww
!�
www
!�
If your baseline is not secure…
Your servers built off of that baseline are also insecure
www
!�

www
?
www
?
www
!�
www
!�
Pushing out a ‘Better Master’ might solve a lot of
problems
But it may (will) eventually fail you
www
?
www
?
Better Master
www
?
www
?
www
?
www
?

www
?
www
?
www
!�
www
!�
Using our new ‘Gold Master’ we can trust our server’s
security
Letting us focus on other, more pressing tasks
wwwwwwwwwwwwwww
Gold Master

Gold Master
Gold Master updates can be rolled out incrementally
Keeping your operational state…operational
www
!�
www
!�
www wwwwww
?�
wwwwwwwwwwww
www
www
!�
www

© 2013 CloudPassage Inc.! 20!20!
How Chef Can Help

Top 5 easy things to start building
your secure baseline
1.  Disable unnecessary services!
2.  Remove unneeded packages!
3.  Restrict access to sensitive ﬁles & directories!
4.  Remove insecure/default conﬁgurations!
5.  Allow administrative access ONLY from trusted
servers/clients!

Disable unnecessary services
•  Only what is needed…is needed!
•  Shutdown and disable $ $ $
unnecessary/insecure services!
–  e.g. telnet, r-services, ftpd, etc.
•  Take a look at:!
–  http://docs.opscode.com/resource_script.html
–  http://docs.opscode.com/resource_execute.html
–  http://docs.opscode.com/dsl_recipe_use_ruby.html

Remove unneeded packages
•  If it isn’t being used…why keep it?!
•  If the server doesn’t need to $ $ $ $
serve web pages!
–  Remove PHP, Apache/nginx
•  If it’s not a database server!
–  Remove MySQL/PostgreSQL
–  http://docs.opscode.com/resource_package.html
–  http://docs.opscode.com/resource_script.html
–  http://docs.opscode.com/resource_execute.html

–  apt_package
–  chef_gem
–  dpkg_package
–  easy_install_package
–  freebsd_package
–  gem_package
–  ips_package
–  macports_package
–  pacman_package
–  portage_package
–  rpm_package
–  smartos_package
–  solaris_package
–  yum_package
http://docs.opscode.com/resource_package.html�

Restrict access to sensitive files & directories
•  Protect what’s important from prying/malicious
eyes!
•  Ensure ﬁle permissions restrict $ $
access to sensitive ﬁles and $ $
directories!
–  e.g. /etc/ssh/sshd_config, /var/log/
–  e.g. C:Windows,
C:Inetpub

Remove insecure/default configurations
•  Disable password authentication for SSH!
–  Force public key authentication
–  Also, disable empty passwords for users
•  SSH!
–  Ensure only v2 protocol connections are allowed
•  Apache!
–  Minimize loadable modules
–  Disable ServerTokens and ServerSignature directives

Remove insecure/default configurations
•  Apache Example!
–  http://docs.opscode.com/
essentials_cookbook_attribute_ﬁles.html
–  http://docs.opscode.com/essentials_roles.html

Allow administrative access ONLY from trusted
servers/clients
•  Leverage the ﬁrewall and other tools!
–  Source of corporate network / admin

network range
–  3rd-party tools like fail2ban
•  Don’t allow (or at least restrict)$ $ $
‘server hopping’!
–  http://community.opscode.com/cookbooks/fail2ban
–  http://community.opscode.com/cookbooks/ﬁrewall
–  http://community.opscode.com/cookbooks/ssh_known_hosts

If only we had more time…
•  More documentation to review:!
–  NIST SP800-123: Guide to General Server Security
•  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf!
–  Halo Conﬁguration Policy Rule Checks
•  http://support.cloudpassage.com/entries/22033142-conﬁguration-policy-rule-
checks!
–  Center for Internet Security (CIS) Benchmarks
•  http://benchmarks.cisecurity.org/downloads/benchmarks/!
–  Microsoft (yes, that Microsoft)
•  http://www.microsoft.com/en-us/download/details.aspx?id=17606!
!

Moral of the Story
Security of your cloud servers is your
responsibility
Security risk in the cloud are real (just
check your ssh/RDP logs)
Security baselining isn’t just a best/
better practice, it makes your life
easier…
…and isn’t that why we started
automating in the first place?

What does CloudPassage do?
Firewall Automation
Multi-Factor
Authentication
Account
Management
Security Event
Alerting
Configuration
Security
Vulnerability
Scanning
Security for virtual servers running in
public and private clouds
File Integrity
Monitoring
API Automation

The End
•  Ask questions!
–  Lots more info:
community.cloudpassage.com
–  Small bits of info: @cloudpassage
•  Tell me what you think!
–  Email:
andrew@cloudpassage.com
–  Twitter:
@andrewsmhay
•  We’re hiring!

Email:
jobs@cloudpassage.com
BTW,
We’re
Hiring!

The End+=1
•  Expect a webinar!
–  We plan on presenting a webinar on securely
automating cloud server deployment
–  Follow our Twitter account for details: @cloudpassage
•  Community Chef Code for Halo
–  https://github.com/escapestudios/chef-cloudpassage
–  http://community.opscode.com/cookbooks/
cloudpassage

The End+=umm…more
•  GitHub
–  http://github.com/cloudpassage
–  http://github.com/andrewsmhay

Thank You!
Andrew Hay
andrew@cloudpassage.com
@andrewsmhay
@cloudpassage
#ChefConf / #CloudSec

Automating secure server baselines with Chef

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Automating secure server baselines with Chef

Similar to Automating secure server baselines with Chef (20)

More from Chef Software, Inc.

More from Chef Software, Inc. (20)

Recently uploaded

Recently uploaded (20)

Automating secure server baselines with Chef