SlideShare une entreprise Scribd logo

Security practices with CFEngine: Config Management Camp 2016

M
Michael Clelland

Security practices with CFEngine as seen across big community and enterprise installations

Technologie
1  sur  18
Télécharger pour lire hors ligne
Security Practices with CFEngine as seen across big community and enterprise installations Dimitrios Apostolou jimis@cfengine.com Nick Anderson nick.anderson@cfengine.com
Host Security Checklist ● host firewall, gateway firewall ● Backup everything (including policy) – regularly test restore ● disable unwanted or unknown services ● remove unnecessary packages – remove dev packages ● SSH: disallow root login, allow only specific users, ● protocol version 2 only, display banner, etc ● Use sudo and sudoers ● keep system up to date – while avoiding automatic breakage ● enforce SELINUX and turn on iptables – occasionally deal with the breakage ● account management − disallow users using same old password − enforce strong password − password expiry ● disable CTRL+ALT+DEL ● remote syslog ● mail important logs − while keeping log noise minimal ● run usbguard ● physical security ● [ … ]
Host Security Checklist ● This was just a small one ● Every sysadmin has his own checklist – (usually gained through painful experience) ● Official, regulated checklists do exist – Thousands of very simple checks – Example: STIG, CIS – Automated policy feasible – (see references and wait for demo!) So, we got ourselves well covered, what can possibly go wrong now?
What happens when the 1st line of defense is breached? ● Information Disclosure ● Policy has the great advantage of being live documentation for the whole infrastructure – Disadvantage? ● Configuration Management opens new horizons for the attacker – Study network topology – Figure out company internal details – Work his way in step-by-step – Worst-case: directly configure other hosts (case of misconfigured trust or access_rules)
Policy files, JSON files, CFEngine module files, CSV files usually describe all of the infrastructure very concisely. classes: "compute_nodes" expression => iprange("1.2.3.1-4"); "storage_nodes" expression => iprange("1.2.3.5-8"); "db_nodes" expression => iprange("1.2.3.9-12"); "cluster_nodes" or => { "compute_nodes","storage_nodes","db_nodes" }; "firewall" expression => fileexists("/etc/blah"); "svn_server" expression => classmatch("123_123_123_123"); Additionally, a technical breach doesn't even have to occur --> A person is usually the weakest link
So how can we deploy and manage our infrastructure and policy, in order to minimise information leakage, while enjoying other benefits as well?
Infrastructure Split ● GOLD – SILVER – BRONZE compartmentalisation – GOLD: strictest security, e.g. policy hub ● But not critical for product delivery – no panic if it's down for a while – SILVER: medium security, critical services go here, possibility for multiple silver zones – BRONZE: everything else ● Zone breach never compromises higher zone – Policy is carefully structured and files/directories split and protected appropriately – Carefully isolated VLANs or DMZs – Appropriate access_rules and CFEngine key distribution – this will probably lead to some policy rewriting, but peace of mind is worth it
Policy Hub(s) ● Treat this as GOLD. It knows everything, having it hacked is fatal. – But does it have to be that way? In CFEngine the policy hub is just another autonomous agent so it can be set up in a distributed way. ● This can yield big improvements in both performance and security. ● However it involves considerable administrative overhead which might not be worth, depending on the number of configured nodes.
Distributed Hub Configuration Examples ● Many identical hubs (mirrors), custom =update.cf= to download from an slist of IP addresses ● Separate hubs, host groups bootstrapped to different hubs that serve different sets of policies – full compartmentalisation - double administrative overhead ● Keep different hubs in many custom policy variables for all hosts, each one serving different set of policy files – =sys.policy_hub= is no longer valid - manual bootstrap needed - manual trust establishment - manual update.cf ● Cascaded hubs: Central hub(s) distributing generic policy; autonomous departments have their own hubs pulling the generic configuration, then merging in their own changes before serving it to the department's machines.
Bowtie Process of Policy Management ● Either many independent VCS repositories, or one with appropriate ACL controls ● Editing/Viewing right different to the different departments ● fan-in to the Policy Dispatcher, who has full access to the Hub ● fan-out to the hosts pulling the merged policy “The burden of security is now localized entirely at the Policy Dispatch Point. It becomes the responsibility of this role (policy dispatcher) to ensure that the desired state is in fact the one that is promised.”
Secrets in Policy ● Rule no.1: You do not need secrets in your policy ● But what if you do really want them? :-) – Have them in seperate files, give access only to the relevant hosts (bundle server access_rules) – Secrets should be either hashes or encrypted – cf-keycrypt – community tool for encrypting with the client's public key, so that only that one client can decrypt – Misc key vault tools
Secure CFEngine Bootstrap ● Put Hub's key in client's ppkeys ● Put client's key in Hub's ppkeys ● Keep trustkeysfrom always empty cf-agent --trust-server=no --bootstrap $HUB_IP
cf-runagent: allow only specific bundles ● cf-serverd: bundle server access_rules() { access: "bundle2" admit_ips => { "127.0.0.1", "::1" }, resource_type => "bundle"; } cf-runagent -H $CLIENT_IP --remote-bundles bundle2
File Change Monitoring ● cfe_internal/enterprise/file_change.cf vars: linux:: "watch_files_report_diffs" slist => {"/etc/passwd","/etc/group"}; files: linux:: "$(watch_files_report_diffs)" -> { "InfoSec" } changes => diff; 2016-01-26T19:08:36+0000 notice: /default/service_catalogue/methods/'security'/default/ch ange_management/files/'/etc/passwd'[0]: Hash 'sha256' for '/etc/passwd' changed!
Thanks ● Bjørgeengen, Jarle (Cascaded hubs) ● Bjørnstad, Jon Henrik (cf-keycrypt) ● Burgess, Mark (Bowtie process etc special topics) ● Georgatos, Fotis (Gold-Silver-Bronze compartmentalisation) ● Marongiu, Marco (security checklist) ● Phooripoom, Nakarin (security checklist) ● Schulz, Tilman (much of the CIS policy)
References ● file changes monitoring policy: https://github.com/cfengine/masterfiles/blob/master/cfe_internal/enterprise/file_ch ange.cf ● distributed file monitoring: https://auth.cfengine.com/manuals/st-security#Tamperproof-data-and-distributed-m onitoring ● bowtie process: https://auth.cfengine.com/archive/manuals/st-rbac https://auth.cfengine.com/archive/manuals/st-teams ● Gold-Silver-Bronze infrastructure compartmentalisation: http://www.sambaxp.org/archive_data/media/georgatos-XP2003.pdf https://www.usenix.org/legacy/event/lisa98/full_papers/traugott/traugott.pdf ● Cf-keycrypt: https://github.com/cfengineers-net/cf-keycrypt ● STIG policies: https://auth.cfengine.com/stig ● CIS policies: https://github.com/nickanderson/cfengine-cis

Recommandé

Security Gateway CP R70
Security Gateway CP R70Security Gateway CP R70
Security Gateway CP R70dzihiro
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglyAlgoSec
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code ScannerLuigi Perrone
 
P2PE Solutions From Futurex
P2PE Solutions From FuturexP2PE Solutions From Futurex
P2PE Solutions From FuturexGreg Stone
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection SolutionGreg Stone
 
Security Framework for the IPv6 Era
Security Framework for the IPv6 EraSecurity Framework for the IPv6 Era
Security Framework for the IPv6 EraShinsuke SUZUKI
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 
Is 2020 The Year Of Building Automation Cybersecurity?
Is 2020 The Year Of Building Automation Cybersecurity?Is 2020 The Year Of Building Automation Cybersecurity?
Is 2020 The Year Of Building Automation Cybersecurity?Memoori
 

Recommandé

Security Gateway CP R70
Security Gateway CP R70Security Gateway CP R70
Security Gateway CP R70dzihiro
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglyAlgoSec
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code ScannerLuigi Perrone
 
P2PE Solutions From Futurex
P2PE Solutions From FuturexP2PE Solutions From Futurex
P2PE Solutions From FuturexGreg Stone
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection SolutionGreg Stone
 
Security Framework for the IPv6 Era
Security Framework for the IPv6 EraSecurity Framework for the IPv6 Era
Security Framework for the IPv6 EraShinsuke SUZUKI
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 
Is 2020 The Year Of Building Automation Cybersecurity?
Is 2020 The Year Of Building Automation Cybersecurity?Is 2020 The Year Of Building Automation Cybersecurity?
Is 2020 The Year Of Building Automation Cybersecurity?Memoori
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric Security best practices for hyperledger fabric
Security best practices for hyperledger fabric ManishKumarGiri2
 
Developing, testing and distributing elasticsearch beats in a complex, heter...
Developing, testing and distributing elasticsearch beats in a complex, heter...Developing, testing and distributing elasticsearch beats in a complex, heter...
Developing, testing and distributing elasticsearch beats in a complex, heter...Jesper Agerled Wermuth
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Sophos Benelux
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationDan Barr
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Secure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSecure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSalesforce Developers
 
Lessson 2
Lessson 2Lessson 2
Lessson 2MLG College of Learning, Inc
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
SFScon19 - Marco Bizzantino - GitOps and Immutable Infrastructure
SFScon19 - Marco Bizzantino - GitOps and Immutable InfrastructureSFScon19 - Marco Bizzantino - GitOps and Immutable Infrastructure
SFScon19 - Marco Bizzantino - GitOps and Immutable InfrastructureSouth Tyrol Free Software Conference
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 

Contenu connexe

Similaire à Security practices with CFEngine: Config Management Camp 2016

CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric Security best practices for hyperledger fabric
Security best practices for hyperledger fabric ManishKumarGiri2
 
Developing, testing and distributing elasticsearch beats in a complex, heter...
Developing, testing and distributing elasticsearch beats in a complex, heter...Developing, testing and distributing elasticsearch beats in a complex, heter...
Developing, testing and distributing elasticsearch beats in a complex, heter...Jesper Agerled Wermuth
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Sophos Benelux
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationDan Barr
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Secure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSecure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSalesforce Developers
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 

Similaire à Security practices with CFEngine: Config Management Camp 2016 (20)

CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric Security best practices for hyperledger fabric
Security best practices for hyperledger fabric
 
Developing, testing and distributing elasticsearch beats in a complex, heter...
Developing, testing and distributing elasticsearch beats in a complex, heter...Developing, testing and distributing elasticsearch beats in a complex, heter...
Developing, testing and distributing elasticsearch beats in a complex, heter...
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
C days2015
C days2015C days2015
C days2015
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS Presentation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
Secure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce InstanceSecure Salesforce: Secret Storage in Your Salesforce Instance
Secure Salesforce: Secret Storage in Your Salesforce Instance
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
SFScon19 - Marco Bizzantino - GitOps and Immutable Infrastructure
SFScon19 - Marco Bizzantino - GitOps and Immutable InfrastructureSFScon19 - Marco Bizzantino - GitOps and Immutable Infrastructure
SFScon19 - Marco Bizzantino - GitOps and Immutable Infrastructure
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 

Dernier

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 

Dernier (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Security practices with CFEngine: Config Management Camp 2016

  • 1. Security Practices with CFEngine as seen across big community and enterprise installations Dimitrios Apostolou jimis@cfengine.com Nick Anderson nick.anderson@cfengine.com
  • 2. Host Security Checklist ● host firewall, gateway firewall ● Backup everything (including policy) – regularly test restore ● disable unwanted or unknown services ● remove unnecessary packages – remove dev packages ● SSH: disallow root login, allow only specific users, ● protocol version 2 only, display banner, etc ● Use sudo and sudoers ● keep system up to date – while avoiding automatic breakage ● enforce SELINUX and turn on iptables – occasionally deal with the breakage ● account management − disallow users using same old password − enforce strong password − password expiry ● disable CTRL+ALT+DEL ● remote syslog ● mail important logs − while keeping log noise minimal ● run usbguard ● physical security ● [ … ]
  • 3. Host Security Checklist ● This was just a small one ● Every sysadmin has his own checklist – (usually gained through painful experience) ● Official, regulated checklists do exist – Thousands of very simple checks – Example: STIG, CIS – Automated policy feasible – (see references and wait for demo!) So, we got ourselves well covered, what can possibly go wrong now?
  • 4.
  • 5. What happens when the 1st line of defense is breached? ● Information Disclosure ● Policy has the great advantage of being live documentation for the whole infrastructure – Disadvantage? ● Configuration Management opens new horizons for the attacker – Study network topology – Figure out company internal details – Work his way in step-by-step – Worst-case: directly configure other hosts (case of misconfigured trust or access_rules)
  • 6. Policy files, JSON files, CFEngine module files, CSV files usually describe all of the infrastructure very concisely. classes: "compute_nodes" expression => iprange("1.2.3.1-4"); "storage_nodes" expression => iprange("1.2.3.5-8"); "db_nodes" expression => iprange("1.2.3.9-12"); "cluster_nodes" or => { "compute_nodes","storage_nodes","db_nodes" }; "firewall" expression => fileexists("/etc/blah"); "svn_server" expression => classmatch("123_123_123_123"); Additionally, a technical breach doesn't even have to occur --> A person is usually the weakest link
  • 7. So how can we deploy and manage our infrastructure and policy, in order to minimise information leakage, while enjoying other benefits as well?
  • 8. Infrastructure Split ● GOLD – SILVER – BRONZE compartmentalisation – GOLD: strictest security, e.g. policy hub ● But not critical for product delivery – no panic if it's down for a while – SILVER: medium security, critical services go here, possibility for multiple silver zones – BRONZE: everything else ● Zone breach never compromises higher zone – Policy is carefully structured and files/directories split and protected appropriately – Carefully isolated VLANs or DMZs – Appropriate access_rules and CFEngine key distribution – this will probably lead to some policy rewriting, but peace of mind is worth it
  • 9. Policy Hub(s) ● Treat this as GOLD. It knows everything, having it hacked is fatal. – But does it have to be that way? In CFEngine the policy hub is just another autonomous agent so it can be set up in a distributed way. ● This can yield big improvements in both performance and security. ● However it involves considerable administrative overhead which might not be worth, depending on the number of configured nodes.
  • 10. Distributed Hub Configuration Examples ● Many identical hubs (mirrors), custom =update.cf= to download from an slist of IP addresses ● Separate hubs, host groups bootstrapped to different hubs that serve different sets of policies – full compartmentalisation - double administrative overhead ● Keep different hubs in many custom policy variables for all hosts, each one serving different set of policy files – =sys.policy_hub= is no longer valid - manual bootstrap needed - manual trust establishment - manual update.cf ● Cascaded hubs: Central hub(s) distributing generic policy; autonomous departments have their own hubs pulling the generic configuration, then merging in their own changes before serving it to the department's machines.
  • 11. Bowtie Process of Policy Management ● Either many independent VCS repositories, or one with appropriate ACL controls ● Editing/Viewing right different to the different departments ● fan-in to the Policy Dispatcher, who has full access to the Hub ● fan-out to the hosts pulling the merged policy “The burden of security is now localized entirely at the Policy Dispatch Point. It becomes the responsibility of this role (policy dispatcher) to ensure that the desired state is in fact the one that is promised.”
  • 12.
  • 13. Secrets in Policy ● Rule no.1: You do not need secrets in your policy ● But what if you do really want them? :-) – Have them in seperate files, give access only to the relevant hosts (bundle server access_rules) – Secrets should be either hashes or encrypted – cf-keycrypt – community tool for encrypting with the client's public key, so that only that one client can decrypt – Misc key vault tools
  • 14. Secure CFEngine Bootstrap ● Put Hub's key in client's ppkeys ● Put client's key in Hub's ppkeys ● Keep trustkeysfrom always empty cf-agent --trust-server=no --bootstrap $HUB_IP
  • 15. cf-runagent: allow only specific bundles ● cf-serverd: bundle server access_rules() { access: "bundle2" admit_ips => { "127.0.0.1", "::1" }, resource_type => "bundle"; } cf-runagent -H $CLIENT_IP --remote-bundles bundle2
  • 16. File Change Monitoring ● cfe_internal/enterprise/file_change.cf vars: linux:: "watch_files_report_diffs" slist => {"/etc/passwd","/etc/group"}; files: linux:: "$(watch_files_report_diffs)" -> { "InfoSec" } changes => diff; 2016-01-26T19:08:36+0000 notice: /default/service_catalogue/methods/'security'/default/ch ange_management/files/'/etc/passwd'[0]: Hash 'sha256' for '/etc/passwd' changed!
  • 17. Thanks ● Bjørgeengen, Jarle (Cascaded hubs) ● Bjørnstad, Jon Henrik (cf-keycrypt) ● Burgess, Mark (Bowtie process etc special topics) ● Georgatos, Fotis (Gold-Silver-Bronze compartmentalisation) ● Marongiu, Marco (security checklist) ● Phooripoom, Nakarin (security checklist) ● Schulz, Tilman (much of the CIS policy)
  • 18. References ● file changes monitoring policy: https://github.com/cfengine/masterfiles/blob/master/cfe_internal/enterprise/file_ch ange.cf ● distributed file monitoring: https://auth.cfengine.com/manuals/st-security#Tamperproof-data-and-distributed-m onitoring ● bowtie process: https://auth.cfengine.com/archive/manuals/st-rbac https://auth.cfengine.com/archive/manuals/st-teams ● Gold-Silver-Bronze infrastructure compartmentalisation: http://www.sambaxp.org/archive_data/media/georgatos-XP2003.pdf https://www.usenix.org/legacy/event/lisa98/full_papers/traugott/traugott.pdf ● Cf-keycrypt: https://github.com/cfengineers-net/cf-keycrypt ● STIG policies: https://auth.cfengine.com/stig ● CIS policies: https://github.com/nickanderson/cfengine-cis