Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20200209MINI_INFRA
Search
delphinz
February 09, 2020
Technology
1
370
20200209MINI_INFRA
delphinz
February 09, 2020
Tweet
Share
More Decks by delphinz
See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
delphinz
1
1.4k
MINI Hardening Road to Taiwan(2019 HITCON CMT)
delphinz
0
910
WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs
delphinz
2
1.7k
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
delphinz
0
140
Other Decks in Technology
See All in Technology
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.7k
TechLION vol.41~MySQLユーザ会のほうから来ました / techlion41_mysql
sakaik
0
190
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
3
230
AWS アーキテクチャ作図入門/aws-architecture-diagram-101
ma2shita
30
11k
“社内”だけで完結していた私が、AWS Community Builder になるまで
nagisa53
1
410
Snowflake Summit 2025 データエンジニアリング関連新機能紹介 / Snowflake Summit 2025 What's New about Data Engineering
tiltmax3
0
320
Lambda Web Adapterについて自分なりに理解してみた
smt7174
5
130
A2Aのクライアントを自作する
rynsuke
1
210
フィンテック養成勉強会#54
finengine
0
180
Prox Industries株式会社 会社紹介資料
proxindustries
0
330
なぜ私はいま、ここにいるのか? #もがく中堅デザイナー #プロダクトデザイナー
bengo4com
0
480
解析の定理証明実践@Lean 4
dec9ue
0
180
Featured
See All Featured
Six Lessons from altMBA
skipperchong
28
3.9k
Code Review Best Practice
trishagee
68
18k
We Have a Design System, Now What?
morganepeng
53
7.7k
How to train your dragon (web standard)
notwaldorf
94
6.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
281
13k
Embracing the Ebb and Flow
colly
86
4.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Designing for humans not robots
tammielis
253
25k
Done Done
chrislema
184
16k
Producing Creativity
orderedlist
PRO
346
40k
Transcript
MINI Hardening ԋशڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా ߂
ࣗݾհ ▸ ా ߂(Masahiro Tabata )@delphinz ▸ ීஈձܭγεςϜίϯαϧλϯτ ▸ MINI
HardeningӡӦϦʔμʔ(ׂ:ࣾ) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ͍ͬͯΔऀ”Ͱ͢
Hardening Projectͱ ▸ Hardening ProjectͱຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ ͦͷత࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢ΔͷͰ͢ɻ ▸ 2014ʹ࢝·Γݱࡏ·Ͱຖय़ळͷ։࠵͞Ε͍ͯ·͢ɻ
͜ͷΠϕϯτwasforum͕։࠵͍ͯ͠·͢ɻ ۙͰ1/24ɺ25ʹԭೄͷສࠃྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/
MINI Hardeningͱ ▸ Hardening Project ͔Βੜͨ͠ϛχϓϩδΣΫτ 2014ͷ Hardening 10 Evolutions
Πϕϯτʹ͓͍ͯɺ ΞϯΧϯϑΝϨϯεͷՌͱͯ͠ൃ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ ఔͰHardeningڝٕৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com
աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵ όʔδϣϯ3ͷςʔϚʮԾ௨՟ࢢγϛϡϨʔγϣϯʯ ࡢ8݄ʹͰ։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵ͷ ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͕ࣾಥવʮ͜Ε͔ΒԾ ௨՟ͩʯͱએݴ͠ɺࣾࣗΒωοτຊͳͲΛࢀߟʹԾ ௨՟ަॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳڥʹ͍ͯ͘͠ɻ
ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕ޭ͢ΔຖʹಘɺSLAΛอͭ͜ͱ͕େࣄʂ
ϝϯόʔհ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ໊̏Ͱͨ͠(ʣʣ
͜͜Ͱ࣭
Έͳ͞Μݕূɾԋशڥ Ͳ͏ͬͯ࡞ͬͯ·͔͢ʁ
͋ΔΠϯϑϥ୲ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲ͷલऀ͕! ࣄ͕͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ
݁Ռ
ͥΜͥΜΘ͔Βͳ͍ʂ ԶͨͪงғؾͰ ΫϥυΛ͍ͬͯΔʂ ʮԶୡงғؾͰδΣωϨʔλʔΛ͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞ IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥυ
Πϯϑϥ୲ऀͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ() 20182݄͔Β20185݄GW໌͚·Ͱ11σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(ޱઃܭ) ࢀՃऀ45ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ
ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ (͘͞ΒͷΫϥυͰTerraform,PackerΛ༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ ʮαΠόʔԋशڥͷࣗಈߏங(Seed(KBC))ʯ (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com
ԋशڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛׂ ▸ ӡӦ-ڝٕؒ௨৴ΛڐՄɺڝٕνʔϜؒ௨৴ෆՄ ▸ ౿ΈαʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢
ԋशڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕ཧ͢ΔΞϓϦέʔγϣϯҎԼͷ௨Γ
Πϯϑϥߏஙखॱ ▸ ΈΜͳେ͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ ༻͍ͯ͠·͢ɻ .JUDIFMM)BTIJNPUPࢯ͕ઃཱ )BTIJDPSQ5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ͚ͷπʔϧΛ։ൃ ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ
https://www.hashicorp.com
ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardeningڥ͔Β TerraformingΛͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ ੜͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯมԽ
ڞ௨มΛઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲ ɾόʔδϣϯ ɾڝٕνʔϜ(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ
Πϝʔδ࡞ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞ʹPackerΛ༻ɺ ߏཧπʔϧʹAnsibleΛ༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍ڥΛ࡞Δͷख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ
ڥల։ޙͷݻ༗ઃఆ߲ ▸ ΠʔαϦΞϜͷΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)
ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞ ▸ Πϯϑϥͷࣗಈల։(νʔϜʹԠͯ͡૿ݮʣ ˎ30ఔͰ100ऑͷαʔόల։ՄೳɺҰׅআ؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(ຯʹ໘͕ଟ͍ɺ͏ͬͯͳ͍)
▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅআίϚϯυ࣮ߦ݁Ռ
࣮Θͨ͠(ͨͪ)ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ Ͱࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·ͰΔͷͰڞ௨Խ͋ͱ·Θ͠ ▸ ςετॻ͍ͯ·ͤΜʂ
·ͱΊ
ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰϓϩάϥϛϯάʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥυɺπʔϧࣄΛ࠷͔ͭίʔυϨϕϧͰ ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹԿਓԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓
Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠
͜Ε͔ΒΓ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏPoweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard dutyʣ ▸ CIɺCDͷಋೖ
▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋशͬͪΌ͍ͳΑʂ
ଓ͖ΣϒͰ ▸ ʢએʣTerraformɺPackerͷͷଓ͖ ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦدߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413
͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ