Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20200209MINI_INFRA
Search
delphinz
February 09, 2020
Technology
1
370
20200209MINI_INFRA
delphinz
February 09, 2020
Tweet
Share
More Decks by delphinz
See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
delphinz
1
1.4k
MINI Hardening Road to Taiwan(2019 HITCON CMT)
delphinz
0
930
WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs
delphinz
2
1.7k
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
delphinz
0
140
Other Decks in Technology
See All in Technology
Building GoReleaser - from shell script to paid product
caarlos0
0
290
AI エンジニアの立場からみた、AI コーディング時代の開発の品質向上の取り組みと妄想
soh9834
8
540
Expertise as a Service via MCP
yodakeisuke
1
150
From Live Coding to Vibe Coding with Firebase Studio
firebasethailand
1
270
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
masatokinugawa
0
300
OpenTelemetry の Log を使いこなそう
biwashi
5
1.1k
経理出身PdMがAIプロダクト開発を_ハンズオンで学んだ話.pdf
shunsukenarita
1
200
FAST導入1年間のふりかえり〜現実を直視し、さらなる進化を求めて〜 / Review of the first year of FAST implementation
wooootack
1
170
ecspressoの設計思想に至る道 / sekkeinight2025
fujiwara3
12
2k
激動の時代、新卒エンジニアはAIツールにどう向き合うか。 [LayerX Bet AI Day Countdown LT Day1 ツールの選択]
tak848
0
580
完璧を目指さない小さく始める信頼性向上
kakehashi
PRO
0
100
新規事業におけるAIリサーチの活用例
ranxxx
0
170
Featured
See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Documentation Writing (for coders)
carmenintech
72
4.9k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
370
Into the Great Unknown - MozCon
thekraken
40
1.9k
Docker and Python
trallard
45
3.5k
BBQ
matthewcrist
89
9.7k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
990
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
It's Worth the Effort
3n
185
28k
Transcript
MINI Hardening ԋशڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా ߂
ࣗݾհ ▸ ా ߂(Masahiro Tabata )@delphinz ▸ ීஈձܭγεςϜίϯαϧλϯτ ▸ MINI
HardeningӡӦϦʔμʔ(ׂ:ࣾ) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ͍ͬͯΔऀ”Ͱ͢
Hardening Projectͱ ▸ Hardening ProjectͱຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ ͦͷత࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢ΔͷͰ͢ɻ ▸ 2014ʹ࢝·Γݱࡏ·Ͱຖय़ळͷ։࠵͞Ε͍ͯ·͢ɻ
͜ͷΠϕϯτwasforum͕։࠵͍ͯ͠·͢ɻ ۙͰ1/24ɺ25ʹԭೄͷສࠃྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/
MINI Hardeningͱ ▸ Hardening Project ͔Βੜͨ͠ϛχϓϩδΣΫτ 2014ͷ Hardening 10 Evolutions
Πϕϯτʹ͓͍ͯɺ ΞϯΧϯϑΝϨϯεͷՌͱͯ͠ൃ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ ఔͰHardeningڝٕৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com
աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵ όʔδϣϯ3ͷςʔϚʮԾ௨՟ࢢγϛϡϨʔγϣϯʯ ࡢ8݄ʹͰ։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵ͷ ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͕ࣾಥવʮ͜Ε͔ΒԾ ௨՟ͩʯͱએݴ͠ɺࣾࣗΒωοτຊͳͲΛࢀߟʹԾ ௨՟ަॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳڥʹ͍ͯ͘͠ɻ
ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕ޭ͢ΔຖʹಘɺSLAΛอͭ͜ͱ͕େࣄʂ
ϝϯόʔհ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ໊̏Ͱͨ͠(ʣʣ
͜͜Ͱ࣭
Έͳ͞Μݕূɾԋशڥ Ͳ͏ͬͯ࡞ͬͯ·͔͢ʁ
͋ΔΠϯϑϥ୲ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲ͷલऀ͕! ࣄ͕͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ
݁Ռ
ͥΜͥΜΘ͔Βͳ͍ʂ ԶͨͪงғؾͰ ΫϥυΛ͍ͬͯΔʂ ʮԶୡงғؾͰδΣωϨʔλʔΛ͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞ IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥυ
Πϯϑϥ୲ऀͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ() 20182݄͔Β20185݄GW໌͚·Ͱ11σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(ޱઃܭ) ࢀՃऀ45ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ
ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ (͘͞ΒͷΫϥυͰTerraform,PackerΛ༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ ʮαΠόʔԋशڥͷࣗಈߏங(Seed(KBC))ʯ (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com
ԋशڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛׂ ▸ ӡӦ-ڝٕؒ௨৴ΛڐՄɺڝٕνʔϜؒ௨৴ෆՄ ▸ ౿ΈαʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢
ԋशڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕ཧ͢ΔΞϓϦέʔγϣϯҎԼͷ௨Γ
Πϯϑϥߏஙखॱ ▸ ΈΜͳେ͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ ༻͍ͯ͠·͢ɻ .JUDIFMM)BTIJNPUPࢯ͕ઃཱ )BTIJDPSQ5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ͚ͷπʔϧΛ։ൃ ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ
https://www.hashicorp.com
ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardeningڥ͔Β TerraformingΛͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ ੜͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯมԽ
ڞ௨มΛઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲ ɾόʔδϣϯ ɾڝٕνʔϜ(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ
Πϝʔδ࡞ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞ʹPackerΛ༻ɺ ߏཧπʔϧʹAnsibleΛ༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍ڥΛ࡞Δͷख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ
ڥల։ޙͷݻ༗ઃఆ߲ ▸ ΠʔαϦΞϜͷΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)
ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞ ▸ Πϯϑϥͷࣗಈల։(νʔϜʹԠͯ͡૿ݮʣ ˎ30ఔͰ100ऑͷαʔόల։ՄೳɺҰׅআ؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(ຯʹ໘͕ଟ͍ɺ͏ͬͯͳ͍)
▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅআίϚϯυ࣮ߦ݁Ռ
࣮Θͨ͠(ͨͪ)ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ Ͱࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·ͰΔͷͰڞ௨Խ͋ͱ·Θ͠ ▸ ςετॻ͍ͯ·ͤΜʂ
·ͱΊ
ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰϓϩάϥϛϯάʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥυɺπʔϧࣄΛ࠷͔ͭίʔυϨϕϧͰ ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹԿਓԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓
Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠
͜Ε͔ΒΓ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏPoweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard dutyʣ ▸ CIɺCDͷಋೖ
▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋशͬͪΌ͍ͳΑʂ
ଓ͖ΣϒͰ ▸ ʢએʣTerraformɺPackerͷͷଓ͖ ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦدߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413
͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ