Upgrade to Pro — share decks privately, control downloads, hide ads and more …

20200209MINI_INFRA

E0951f27f426611977e6e2c751b9aebc?s=47 delphinz
February 09, 2020

 20200209MINI_INFRA

E0951f27f426611977e6e2c751b9aebc?s=128

delphinz

February 09, 2020
Tweet

Transcript

  1. MINI Hardening ԋश؀ڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా୺ ੓߂

  2. ࣗݾ঺հ ▸ ా୺ ੓߂(Masahiro Tabata )@delphinz ▸ ීஈ͸ձܭγεςϜίϯαϧλϯτ ▸ MINI

    HardeningӡӦϦʔμʔ(໾ׂ:ࣾ௕) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019೥ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ΍͍ͬͯΔऀ”Ͱ͢
  3. Hardening Projectͱ͸ ▸ Hardening Projectͱ͸೔ຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ
 ͦͷ໨త͸࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢Δ΋ͷͰ͢ɻ ▸ 2014೥ʹ࢝·Γݱࡏ·Ͱຖ೥य़ळͷ։࠵͞Ε͍ͯ·͢ɻ


    ͜ͷΠϕϯτ͸wasforum͕։࠵͍ͯ͠·͢ɻ
 ௚ۙͰ͸1/24ɺ25ʹԭೄͷສࠃ௡ྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/
  4. MINI Hardeningͱ͸ ▸ Hardening Project ͔Β೿ੜͨ͠ϛχϓϩδΣΫτ
 2014೥ͷ Hardening 10 Evolutions

    Πϕϯτʹ͓͍ͯɺ
 ΞϯΧϯϑΝϨϯεͷ੒Ռͱͯ͠ൃ଍ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ͸
 ൒೔ఔ౓ͰHardeningڝٕ΍ৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ޲͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com
  5. աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵
 όʔδϣϯ3ͷςʔϚʮԾ૝௨՟ࢢ৔γϛϡϨʔγϣϯʯ
 ࡢ೥8݄ʹ͸୆࿷Ͱ΋։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵΁ͷ
 ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ

  6. MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͸ࣾ௕͕ಥવʮ͜Ε͔Β͸Ծ૝ ௨՟ͩʯͱએݴ͠ɺࣾ௕ࣗΒωοτ΍ຊͳͲΛࢀߟʹԾ૝ ௨՟ަ׵ॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ͸ ௒ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ૝௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳ؀ڥʹ͍ͯ͘͠ɻ

    ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕੒ޭ͢Δຖʹಘ఺ɺSLAΛอͭ͜ͱ͕େࣄʂ
  7. ϝϯόʔ঺հ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ͸໊̏Ͱͨ͠(׼ʣʣ

  8. ͜͜Ͱ࣭໰

  9. Έͳ͞Μݕূɾԋश؀ڥ Ͳ͏΍ͬͯ࡞ͬͯ·͔͢ʁ

  10. ͋Δ೔Πϯϑϥ୲౰ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲౰ͷલ೚ऀ͕཭୤! ࢓ࣄ͕๩͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ࢖ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ

  11. ݁Ռ

  12. ͥΜͥΜΘ͔Βͳ͍ʂ Զͨͪ͸งғؾͰ Ϋϥ΢υΛ΍͍ͬͯΔʂ ʮԶୡ͸งғؾͰδΣωϨʔλʔΛ΍͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞ IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥ΢υ

  13. Πϯϑϥ୲౰ऀ΁ͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ(׼)
 2018೥2݄຤͔Β2018೥5݄GW໌͚·Ͱ1೔1σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳ؀ڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(઒ޱઃܭ)
 ࢀՃऀ͸45෼ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ

    ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ
 (͘͞ΒͷΫϥ΢υͰTerraform,PackerΛ࢖༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ
 ʮαΠόʔԋश؀ڥͷࣗಈߏங(Seed(KBC))ʯ
 (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com
  14. ԋश؀ڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛ෼ׂ ▸ ӡӦ-ڝٕؒ͸௨৴ΛڐՄɺڝٕνʔϜؒ͸௨৴ෆՄ ▸ ౿Έ୆αʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢

  15. ԋश؀ڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕؅ཧ͢ΔΞϓϦέʔγϣϯ͸ҎԼͷ௨Γ

  16. Πϯϑϥߏஙखॱ ▸ ΈΜͳେ޷͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ࢖ ༻͍ͯ͠·͢ɻ .JUDIFMM)BTIJNPUPࢯ͕೥ઃཱ )BTIJDPSQ5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ޲͚ͷπʔϧΛ։ൃ ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ

    https://www.hashicorp.com
  17. ؀ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷ؀ڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardening؀ڥ͔Β
 TerraformingΛ࢖ͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ੒ ੜ੒ͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯม਺Խ

    ڞ௨ม਺Λઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲໨ ɾόʔδϣϯ ɾڝٕνʔϜ਺(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ
  18. Πϝʔδ࡞੒ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞੒ʹ͸PackerΛ࢖༻ɺ
 ߏ੒؅ཧπʔϧʹAnsibleΛ࢖༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍؀ڥΛ࡞Δͷ͸ख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ

  19. ؀ڥల։ޙͷݻ༗ઃఆ߲໨ ▸ ΠʔαϦΞϜͷ΢ΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆ͸ը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)

  20. ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞੒ ▸ Πϯϑϥͷࣗಈల։(νʔϜ਺ʹԠͯ͡૿ݮʣ
 ˎ30෼ఔ౓Ͱ100୆ऑͷαʔόల։ՄೳɺҰׅ࡟আ΋؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(஍ຯʹ໘౗͕ଟ͍ɺ΋͏࢖ͬͯͳ͍)

    ▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅ࡟আίϚϯυ࣮ߦ݁Ռ
  21. ࣮͸Θͨ͠(ͨͪ)͸ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥ͸ڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ
 Ͱ͸ࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·Ͱ΍ΔͷͰڞ௨Խ͸͋ͱ·Θ͠ ▸ ςετ͸ॻ͍ͯ·ͤΜʂ

  22. ·ͱΊ

  23. ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰ΋ϓϩάϥϛϯά͸਎ʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥ΢υɺπʔϧࣄ৘Λ࠷୹͔ͭίʔυϨϕϧͰ
 ਎ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲౰ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹ͸Կਓ΋ԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓

    Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠
  24. ͜Ε͔Β΍Γ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏ͸Poweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard duty౳ʣ ▸ CIɺCDͷಋೖ

    ▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΍ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋश΍ͬͪΌ͍ͳΑʂ
  25. ଓ͖͸΢ΣϒͰ ▸ ʢએ఻ʣTerraformɺPackerͷ࿩ͷଓ͖͸
 ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦ΋دߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413

  26. ͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ